"To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident," Salesforce warned yesterday.
Icarus extortion campaign and the Klue OAuth breach
Market intelligence platform Klue suffered an OAuth breach that allowed a relatively new extortion group calling itself "Icarus" to steal Salesforce CRM data from multiple organizations and begin an extortion campaign. Sources told BleepingComputer that numerous organizations had data stolen and were receiving ransom demands. ReliaQuest and Huntress independently published reports confirming the incident; Huntress stated that its own Salesforce data had been taken.
How attackers used stolen OAuth tokens to query Salesforce
Researchers from ReliaQuest described a two-stage pattern. Attackers obtained access to Klue Battlecards integration service accounts, generated OAuth tokens tied to customer Salesforce instances, and used automated Python scripts to query Salesforce's REST API for almost 24 hours. Initial reconnaissance targeted the '/services/data/v59.0/sobjects' endpoint to map an organization's Salesforce objects, followed by exfiltration via '/services/data/v59.0/query'.
ReliaQuest said the adversary first performed a slow, steady pull designed to blend in and then in at least one environment "hit the same endpoint, sending almost a thousand queries in a 15-minute window." In another case, exfiltration was observed over six hours.
What Huntress and Klue report about the intrusion
Huntress reported that Klue told customers the attackers compromised Klue's backend systems and pushed a malicious code update that stole OAuth tokens customers used to integrate the Battlecards product with third-party platforms. The attackers reportedly used a dormant but still active credential created by Klue for a prototype integration to obtain customer tokens, then queried connected Salesforce environments directly.
Klue subsequently disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while responding to the incident. Salesforce separately disabled the Klue Battlecards integration on its platform until the breach is investigated.
Data taken, evidence preserved, and indicators to watch
Huntress said the stolen material included CRM-related information such as business contacts, sales communications, price quotes, competitive intelligence reports, and account data. The company added there was no evidence that threat intelligence, customer telemetry, passwords, payment card information, or engineering systems were compromised.
Both ReliaQuest and Huntress shared IP addresses linked to the attacks. Organizations using Klue integrations are advised to review Salesforce and related SaaS logs for activity originating from these addresses, revoke and rotate OAuth tokens, terminate active sessions, and review Salesforce logs for unusual API activity. The IP addresses published by the researchers are:
- 138.226.246.94
- 212.86.125.24
- 213.111.148.90
- 94.154.32.160
What this means for Salesforce customers, security teams, and affected enterprises
Salesforce customers who installed the Klue Battlecards app should expect that connections are disabled until Salesforce completes its response. Security teams are being pointed to concrete actions: review SaaS and Salesforce logs for the listed IPs and unusual API traffic, revoke and rotate OAuth tokens, and terminate active sessions tied to the Battlecards integrations. Affected enterprises that used Klue integrations will need to inventory exposed records—ReliaQuest and Huntress highlighted CRM contacts, communications, quotes and competitive reports as categories taken—and evaluate whether any further sensitive systems were implicated, noting Huntress's statement that some sensitive classes (passwords, payment cards, engineering systems) showed no evidence of compromise.
Extortion signals and where the investigation stands
BleepingComputer reported that Icarus began listing victims on a data leak site and initially posted two names; at least one of those victims was connected to the Klue campaign. That company has since been removed from the leak site, which BleepingComputer said "may indicate that negotiations are underway." A ransom note shared with BleepingComputer included the alias "mr bean" and provided a Session Messenger ID; Huntress observed that a Session ID in later extortion emails matched the value on Icarus's dark web leak site. The group's public leak site posted a short message titled "Get Ready" saying, "big corps getting listed. be ready." According to reporting, Icarus is believed to have launched in April 2026.
The immediate, verifiable steps are administrative and forensic: revoke and rotate tokens, terminate sessions, examine API logs for the endpoints and IPs cited, and await the outcome of Klue and Salesforce investigations. For companies already receiving extortion emails, the presence of matching Session IDs and the removal of a listed victim from the leak site are concrete signals the campaign is active and that at least some negotiations or takedowns may be in progress.
For readers with direct information on this incident or related attacks, BleepingComputer provided contacts: Signal at 646-961-3731 and tips@bleepingcomputer.com.
