{"id":275791,"date":"2026-06-18T10:19:00","date_gmt":"2026-06-18T14:19:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/18\/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks\/"},"modified":"2026-06-19T06:10:21","modified_gmt":"2026-06-19T10:10:21","slug":"klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/18\/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks\/","title":{"rendered":"Klue OAuth breach linked to &#8216;Icarus&#8217; Salesforce data theft attacks"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks\/\">Klue OAuth breach linked to &#8216;Icarus&#8217; Salesforce data theft attacks<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-18 10:19:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>Market intelligence platform Klue suffered a OAuth breach that enabled the &#8220;Icarus&#8221; threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.<\/p>\n<p>Sources told BleepingComputer of the attack yesterday, telling us that numerous organizations had their Salesforce data stolen and were now being extorted by the relatively new extortion group.<\/p>\n<p>Cybersecurity firms ReliaQuest and Huntress have both published reports confirming the security incident, with Huntress stating that their Salesforce data was stolen in the attack.<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/w\/secure-vibe-coding-970.jpg\" alt=\"image\" style=\"margin-top: 0px;\"\/><\/p>\n<p>Salesforce has since disabled the Klue Battlecards integration on its platform while the breach is investigated.<\/p>\n<p>&#8220;To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident,&#8221; Salesforce warned yesterday.<\/p>\n<p>&#8220;As a result, organizations will not be able to connect to Salesforce via this app until further notice.&#8221;<\/p>\n<p class=\"bc_quote\">If you have any information regarding this incident or other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.<\/p>\n<h2>Stolen OAuth credentials used to steal Salesforce data<\/h2>\n<p>ReliaQuest stated that attackers gained access to Klue Battlecards integration service accounts and used OAuth tokens associated with customer Salesforce instances to carry out data theft.<\/p>\n<p>The researchers observed the threat actors generating OAuth tokens and then using automated Python scripts to query Salesforce&#8217;s REST API for nearly 24 hours.<\/p>\n<p>The activity began with reconnaissance of an organization&#8217;s Salesforce instances through the &#8216;\/services\/data\/v59.0\/sobjects&#8217; endpoint before exfiltrating data using the &#8216;\/services\/data\/v59.0\/query&#8217;.<\/p>\n<p>ReliaQuest said that for one of the organizations, the attackers slowly mapped out their Salesforce objects to identify valuable objects and then rapidly stole data&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Klue OAuth breach linked to &#8216;Icarus&#8217; Salesforce data theft attacks https:\/\/www.bleepingcomputer.com\/news\/security\/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks\/ Publish Date: 2026-06-18 10:19:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":275792,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2022\/09\/03\/data-theft.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24],"class_list":["post-275791","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/275791"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=275791"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/275791\/revisions"}],"predecessor-version":[{"id":275793,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/275791\/revisions\/275793"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/275792"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=275791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=275791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=275791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}