Market intelligence platform Klue suffered a OAuth breach that enabled the “Icarus” threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.
Sources told BleepingComputer of the attack yesterday, telling us that numerous organizations had their Salesforce data stolen and were now being extorted by the relatively new extortion group.
Cybersecurity firms ReliaQuest and Huntress have both published reports confirming the security incident, with Huntress stating that their Salesforce data was stolen in the attack.
Salesforce has since disabled the Klue Battlecards integration on its platform while the breach is investigated.
“To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident,” Salesforce warned yesterday.
“As a result, organizations will not be able to connect to Salesforce via this app until further notice.”
If you have any information regarding this incident or other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.
Stolen OAuth credentials used to steal Salesforce data
ReliaQuest stated that attackers gained access to Klue Battlecards integration service accounts and used OAuth tokens associated with customer Salesforce instances to carry out data theft.
The researchers observed the threat actors generating OAuth tokens and then using automated Python scripts to query Salesforce’s REST API for nearly 24 hours.
The activity began with reconnaissance of an organization’s Salesforce instances through the ‘/services/data/v59.0/sobjects’ endpoint before exfiltrating data using the ‘/services/data/v59.0/query’.
ReliaQuest said that for one of the organizations, the attackers slowly mapped out their Salesforce objects to identify valuable objects and then rapidly stole data once they knew what they wanted.
“The attacker then hit the same endpoint, sending almost a thousand queries in a 15-minute window in at least one environment,” explained ReliaQuest.
“Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records. In another case, the exfiltration was observed over 6 hours.”
The researchers said the activity closely resembled previous Salesforce third-party integration data theft attacks by the ShinyHunters extortion group, but were unable to attribute the attacks to the threat actor.
However, BleepingComputer learned yesterday that ShinyHunters was not behind this attack, but rather a relatively new threat actor known as “Icarus” who had already begun emailing extortion demands to Klue customers impacted by the breach.
A ransom note shared with BleepingComputer showed that the emails were sent using the alias “mr bean” and included a Session Messenger ID to contact them.
Source: BleepingComputer
The threat actors’ data leak site also contains a message hinting at the extortion campaign in a simple post titled “Get Ready,” stating, “big corps getting listed. be ready.”
Source: BleepingComputer
Icarus is believed to have launched in April 2026, and initially listed two victims on its leak site, with BleepingComputer learning that at least one of these victims is connected to the Klue campaign. That company has now been removed from the data leak site, which may indicate that negotiations are underway.
Today, Huntress disclosed that it was among the organizations impacted by the Klue breach, confirming that they had received a similar extortion email as seen by BleepingComputer. However, the Session ID used in later emails was different and was instead the one listed on the Icarus data leak site, providing additional evident that they were behind the attack.
“In the initial email, the adversary suggests, ‘we advice you to write to us on Session’ (sic),” reported Huntress.
“The Session Messenger ID that they provided matched the same values included on the dark web leak site of a new extortion group dubbed ‘Icarus.'”
According to Huntress, Klue told customers that attackers first compromised the company’s backend systems and then pushed a malicious code update that stole OAuth tokens customers use to integrate the Battlecards product with third-party platforms.
The attackers reportedly used a dormant but still active credential created by Klue for a prototype integration. After gaining access to Klue’s environment, they stole customer OAuth tokens and used them to query connected Salesforce environments directly.
Klue later disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while responding to the incident.
Huntress said the stolen data includes CRM-related information, including business contacts, sales communications, price quotes, competitive intelligence reports, and account data.
The cybersecurity company said there was no evidence that threat intelligence, customer telemetry, passwords, payment card information, or engineering systems were compromised.
Both ReliaQuest and Huntress shared IP addresses linked to the attacks, which are listed below:
138.226.246.94
212.86.125.24
213.111.148.90
94.154.32.160
Organizations using Klue integrations are advised to review Salesforce and related SaaS logs for activity originating from these addresses, revoke and rotate OAuth tokens, terminate active sessions, and review Salesforce logs for unusual API activity.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
