Klue OAuth breach victim list grows as Icarus hackers claim attack
Klue OAuth breach victim list grows as Icarus hackers claim attack
Publish Date: 2026-06-19 18:31:00
Source Domain: www.bleepingcomputer.com
Market intelligence platform Klue has publicly confirmed a recent security incident that allowed threat actors to steal OAuth tokens used to connect to customers’ Salesforce environments, as the new “Icarus” extortion group publicly claims the attack.
The disclosure comes after cybersecurity firms Huntress and ReliaQuest detailed how attackers abused compromised Klue Battlecards integrations to steal Salesforce CRM data from multiple organizations.
In a statement published this week, Klue CEO Jason Smith confirmed that the company discovered unauthorized activity on June 12 affecting part of Klue’s integration infrastructure.
“On June 12, we identified unauthorized activity affecting a portion of Klue’s integration infrastructure. Since then, we’ve been working alongside trusted cybersecurity experts to understand what happened, support our customers, and restore the connections you rely on,” wrote Smith.
“Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.”
The company says there is currently no evidence that customer content stored directly within the Klue platform was impacted and that the incident was limited to third-party integrations.
Klue says it immediately revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, launched an investigation, and notified law enforcement. The company also confirmed it engaged CrowdStrike to assist with the response.
ReliaQuest and Huntress found that the attackers used stolen OAuth credentials associated with Klue integrations to access customer Salesforce environments and conduct large-scale data theft.
ReliaQuest observed attackers generating OAuth…
