Klue OAuth breach linked to ‘Icarus’ Salesforce data theft attacks

Staff Editor 2026-06-18
Klue OAuth breach linked to ‘Icarus’ Salesforce data theft attacks

Klue OAuth breach linked to ‘Icarus’ Salesforce data theft attacks

https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/

Publish Date: 2026-06-18 10:19:00

Source Domain: www.bleepingcomputer.com

Market intelligence platform Klue suffered a OAuth breach that enabled the “Icarus” threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.

Sources told BleepingComputer of the attack yesterday, telling us that numerous organizations had their Salesforce data stolen and were now being extorted by the relatively new extortion group.

Cybersecurity firms ReliaQuest and Huntress have both published reports confirming the security incident, with Huntress stating that their Salesforce data was stolen in the attack.

image

Salesforce has since disabled the Klue Battlecards integration on its platform while the breach is investigated.

“To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident,” Salesforce warned yesterday.

“As a result, organizations will not be able to connect to Salesforce via this app until further notice.”

If you have any information regarding this incident or other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at [email protected].

Stolen OAuth credentials used to steal Salesforce data

ReliaQuest stated that attackers gained access to Klue Battlecards integration service accounts and used OAuth tokens associated with customer Salesforce instances to carry out data theft.

The researchers observed the threat actors generating OAuth tokens and then using automated Python scripts to query Salesforce’s REST API for nearly 24 hours.

The activity began with reconnaissance of an organization’s Salesforce instances through the ‘/services/data/v59.0/sobjects’ endpoint before exfiltrating data using the ‘/services/data/v59.0/query’.

ReliaQuest said that for one of the organizations, the attackers slowly mapped out their Salesforce objects to identify valuable objects and then rapidly stole data…

Source

More Stories

Metro Atlanta city discloses cybersecurity incident – WSB-TV Channel 2

Metro Atlanta city discloses cybersecurity incident – WSB-TV Channel 2

Staff Editor 2026-06-20
Unfixable security flaw affects seven iPhone models

Unfixable security flaw affects seven iPhone models

Staff Editor 2026-06-20
New Prinz Eugen ransomware prioritizes recent files for encryption

New Prinz Eugen ransomware prioritizes recent files for encryption

Staff Editor 2026-06-20

Terms and Conditions - Privacy Policy