Recent reports reveal that market intelligence platform Klue fell victim to an OAuth breach, allowing threat actors known as “Icarus” to pilfer Salesforce CRM data from multiple organizations as part of an ongoing extortion scheme.
Sources informed BleepingComputer of the attack, indicating that numerous organizations had their Salesforce data compromised and are now facing extortion demands from this relatively new group.
Cybersecurity firms ReliaQuest and Huntress have both released reports confirming the security incident, with Huntress acknowledging that their own Salesforce data was among the information stolen during the breach.
In response to the breach, Salesforce has taken action by disabling the Klue Battlecards integration on its platform pending further investigation.
“To protect our customers, Salesforce has temporarily disabled the connection between the Klue Battlecards app and Salesforce following a recent security incident,” Salesforce cautioned in a statement.
“As a precaution, organizations will not be able to link to Salesforce through this app until further notice.”
For any information related to this incident or other undisclosed attacks, feel free to reach out to us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.
According to ReliaQuest, the attackers exploited Klue Battlecards integration service accounts to acquire OAuth tokens associated with customer Salesforce instances, facilitating the theft of data.
Research shows that the threat actors generated OAuth tokens and utilized automated Python scripts to access Salesforce’s REST API for nearly a full day.
The process commenced with reconnaissance of an organization’s Salesforce instances through the ‘/services/data/v59.0/sobjects’ endpoint before extracting data using the ‘/services/data/v59.0/query’.
ReliaQuest noted that in one instance, the attackers meticulously mapped out the Salesforce objects to pinpoint valuable data and swiftly exfiltrated it once identified.
“The attacker then bombarded the same endpoint, sending close to a thousand queries in a 15-minute span in at least one environment,” explained ReliaQuest.
“While the initial phase involved a slow, inconspicuous data retrieval, the subsequent burst prioritized speed over stealth, indicating either time constraints or a shift to targeted information. In a separate case, data theft occurred over a span of 6 hours.”
Although the attack closely resembled previous data theft incidents involving third-party Salesforce integrations attributed to the ShinyHunters group, the specific threat actor behind this breach remains unidentified.
Contrary to initial speculations, ShinyHunters was not responsible for this breach; instead, a new threat actor named “Icarus” has emerged as the prime suspect, targeting Klue customers affected by the breach with extortion demands.
A ransom note shared with BleepingComputer revealed that the emails were sent under the alias “mr bean” and included a Session Messenger ID for communication.
Further evidence of the extortion campaign was found on the threat actors’ data leak site, with a message titled “Get Ready” hinting at upcoming disclosures involving major corporations.
Reports suggest that Icarus emerged in April 2026 and initially listed two victims on its data leak site, one of which is believed to be linked to the Klue incident. Negotiations may be ongoing as the company connected to the Klue breach has been removed from the leak site.
Recently, Huntress disclosed that they were also impacted by the Klue breach, receiving a similar extortion email as reported by BleepingComputer. Notably, the Session ID provided in subsequent emails matched the one listed on the Icarus data leak site, indicating their involvement in the attack.
“In the initial email, the adversary suggests, ‘we advice you to write to us on Session’ (sic),” detailed Huntress.
“The Session Messenger ID they provided aligned with the values found on the dark web leak site associated with a new extortion group named ‘Icarus.’
According to Huntress, Klue informed customers that the attackers initially breached their backend systems and deployed a malicious code update that pilfered OAuth tokens used for integrating the Battlecards product with third-party platforms.
The threat actors leveraged a dormant yet active credential created by Klue for a prototype integration to access Klue’s environment and steal customer OAuth tokens for direct querying of connected Salesforce environments.
Following the breach, Klue disabled integrations with various platforms, including Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack as part of their response.
Regarding the stolen data, Huntress confirmed that it primarily consisted of CRM-related information such as business contacts, sales communications, price quotes, competitive intelligence reports, and account details.
Fortunately, there is no evidence to suggest that critical data like threat intelligence, customer telemetry, passwords, payment card details, or engineering systems were compromised during the breach.
Both ReliaQuest and Huntress shared IP addresses associated with the attacks, listed below for reference:
138.226.246.94
212.86.125.24
213.111.148.90
94.154.32.160
Organizations utilizing Klue integrations are urged to review logs from Salesforce and related SaaS platforms for any activity originating from these IP addresses, revoke and rotate OAuth tokens, terminate active sessions, and scrutinize Salesforce logs for any abnormal API activity.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper demonstrates how breach and attack simulation can evaluate your SIEM and EDR rules to enhance threat detection capabilities.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
