Icarus Hackers Claim Klue OAuth Breach Exposing Salesforce Data

Market intelligence platform Klue has confirmed a security incident in which attackers exploited a compromised legacy credential to steal OAuth tokens, gaining access to multiple customer Salesforce environments. CEO Jason Smith disclosed on June 12 that the unauthorized activity targeted a portion of Klue's integration infrastructure, specifically affecting tokens used to connect Klue with third-party platforms. The attackers leveraged these stolen tokens to query customer CRM data, though Klue states there is no evidence that content stored directly within the Klue platform was compromised. Klue has since revoked all affected credentials and tokens, removed unauthorized code, disabled impacted integrations, engaged CrowdStrike for incident response, and notified law enforcement.

Cybersecurity firms Huntress and ReliaQuest provided technical analysis of the attack chain. ReliaQuest observed attackers generating OAuth tokens and using Python scripts to systematically query Salesforce's API over extended periods, exfiltrating business contacts, sales communications, pricing information, and other records. Huntress later confirmed its own Salesforce environment was among those affected by the breach. As the victim list grows, organizations concerned about credential exposure can evaluate compromised passwords with our password checker and identify potential data exposures using our email breach checker.

The newly emerged "Icarus" extortion group has publicly claimed responsibility for the attack on its data leak site, stating that "a number of other companies' Salesforce instances, which were partners to Klue, were exfiltrated." The threat actors are pressuring Klue and affected organizations to contact them via the Session messaging platform to prevent publication of the stolen data. Security teams are advised to rotate any OAuth tokens issued through Klue integrations, audit third-party app permissions, and review API logs for anomalous activity. To help defend against similar API abuse campaigns, IT teams can run a port scanner to identify exposed services and flag unexpected outbound connections that could indicate data exfiltration in progress.