Market intelligence platform Klue has confirmed a security breach involving its OAuth integrations, enabling the Icarus extortion group to steal Salesforce CRM data from multiple organizations. The incident, first reported on 17 June 2026, has prompted Salesforce to disable the Klue Battlecards integration as a precautionary measure while investigations are underway. Cybersecurity firms ReliaQuest and Huntress have both acknowledged their data was compromised in the attack, with Huntress confirming receipt of an extortion email from the threat actors.
What happened
The breach originated from a compromised backend system at Klue, where attackers exploited a dormant but still-active credential originally created for a prototype integration. According to Huntress, the threat actors pushed a malicious code update that harvested OAuth tokens used by Klue customers to integrate its Battlecards product with third-party platforms, including Salesforce. Once in possession of these tokens, the attackers used automated Python scripts to query Salesforce’s REST API for nearly 24 hours, exfiltrating data through endpoints such as /services/data/v59.0/sobjects and /services/data/v59.0/query.
ReliaQuest observed that the attackers initially conducted reconnaissance to map out Salesforce objects before rapidly extracting targeted data. In one case, nearly 1,000 queries were executed within a 15-minute window, suggesting a shift from stealth to speed. The stolen data includes business contacts, sales communications, price quotes, competitive intelligence reports, and account information. Huntress confirmed that no passwords, payment card details, or engineering systems were compromised.
- Attackers exploited a dormant Klue credential to push a malicious code update.
- Salesforce disabled the Klue Battlecards integration on 17 June 2026.
- Data exfiltration occurred via Salesforce’s REST API over ~24 hours.
- Stolen data includes CRM records but excludes passwords and payment details.
- Icarus extortion emails were sent using the alias "mr bean" and a Session Messenger ID.
Who is behind the attack
The campaign has been attributed to the Icarus extortion group, a relatively new threat actor that emerged in April 2026. BleepingComputer reported that Icarus has already begun sending extortion demands to affected Klue customers, with ransom notes including a Session Messenger ID for contact. The group’s data leak site features a post titled "Get Ready," hinting at further victim disclosures. While initial reports suggested possible links to the ShinyHunters group, BleepingComputer confirmed that Icarus is responsible for this campaign.
Huntress noted that the Session ID in later extortion emails matched the one listed on Icarus’s dark web leak site, reinforcing the attribution. At least one victim previously listed on the site has since been removed, potentially indicating ongoing negotiations.
Impact and response
Salesforce has temporarily disabled the Klue Battlecards integration to prevent further unauthorized access. In a statement, the company advised customers that the app would remain unavailable until the investigation concludes. Klue has also disabled integrations with HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack as part of its response.
Organizations using Klue integrations are advised to review logs for activity originating from the following IP addresses linked to the attack:
- 138.226.246.94
- 212.86.125.24
- 213.111.148.90
- 94.154.32.160
For professionals: Security teams should revoke and rotate OAuth tokens associated with Klue integrations, terminate active sessions, and audit Salesforce logs for unusual API activity. The incident underscores the risks of dormant credentials and third-party integrations in SaaS environments.
What to watch
The Icarus group’s extortion campaign is ongoing, and further victim disclosures are likely. Organizations should monitor for updates from Klue and Salesforce regarding the restoration of integrations and any additional remediation steps. The incident also highlights the growing threat of OAuth-based attacks targeting SaaS platforms, which may prompt broader industry scrutiny of third-party app security.
Automated pipeline · Security
Synthesized from 1 industry feed on 18 Jun 2026. First draft failed editor review; a revised version was approved (score 85/100) before publication. Style guide v1.3.
Sources
Decision trail
- Checking for duplicates — Deduped batch of 2 candidates
- Checking for duplicates — New story No recent or in-pipeline article covers this OAuth breach linked to Salesforce data theft by 'Icarus' threat actors.
- Writing the article — Draft created article_id=157 slug=klue-oauth-breach-exposes-salesforce-data-in-icarus-extortion
-
Editor review — Rejected
- Score: 85/100
- Factual grounding: The draft states the breach was 'disclosed on 18 June 2026,' but the source (BleepingComputer) only says 'yesterday' (17 June 2026) and 'today' (18 June 2026) for Huntress's disclosure. The 18 June date for Klue's disclosure is not explicitly supported by the source.
- Factual grounding: The draft claims Salesforce disabled the Klue Battlecards integration on '17 June 2026,' but the source only says Salesforce disabled it 'yesterday' (17 June 2026) relative to the source's publication date (18 June 2026). The specific calendar date is not directly stated in the source.
- Style compliance: The body length (730 words) slightly exceeds the 700-word upper limit for the main body (excluding Sources).
- Style compliance: The headline ('Klue OAuth breach exposes Salesforce data in Icarus extortion') exceeds the 90-character limit (92 characters).
- No copied phrasing: The phrase 'dormant credential originally created by Klue for a prototype integration' closely mirrors the source wording ('dormant but still active credential created by Klue for a prototype integration').
- Writing the article — Rewritten editor-driven rewrite
-
Editor review — Approved
- Score: 85/100
- Factual grounding: The draft states the incident was 'first reported on 17 June 2026,' but Source 1 says sources told BleepingComputer 'yesterday' (resolved to 17 June 2026) and Salesforce warned 'yesterday' (also 17 June 2026). The draft's phrasing implies a separate first report date, which is not supported by the source. The date itself is correct, but the claim of 'first reported' is unsupported.
- Quote integrity: The draft includes a 'Key facts' bullet: 'Icarus extortion emails were sent using the alias "mr bean" and a Session Messenger ID.' While the alias and Session ID are mentioned in Source 1, they are not presented as a direct quote or blockquote in the source. The draft does not use a blockquote, so this is not a material violation, but the phrasing closely mirrors the source's wording ('a ransom note shared with BleepingComputer showed that the emails were sent using the alias "mr bean" and included a Session Messenger ID').
- No copied phrasing: The draft's description of the attack method ('attackers exploited a dormant but still-active credential originally created for a prototype integration') closely mirrors Source 1's wording ('attackers reportedly used a dormant but still active credential created by Klue for a prototype integration').
- Style compliance: The draft uses a 'Key facts' block with 5 bullets, which is within the 3-5 item limit, but the block is not strictly necessary for this story. The 'For professionals' block is justified. No other layout issues.
- Sanity: The headline and standfirst accurately reflect the body content. The category 'incidents-breaches' is appropriate. No half-finished sentences or JSON artifacts.
- Generating reader Q&A — Generated 5 items
- Assigning hero image — Pexels pexels_id=9253332 q=Klue headquarters
- Linking related stories — Linked 5 relations from 119 candidates
- Linking related stories — Linked 5 relations from 120 candidates
- Publishing — Published klue-oauth-breach-exposes-salesforce-data-in-icarus-extortion
- Mastodon — Posted https://mstdn.social/@hostingpaper/116772030463702339
Discussion · coming soon
Be the first to join the thread when community discussion launches.