"On June 12, we identified unauthorized activity affecting a portion of Klue's integration infrastructure. Since then, we've been working alongside trusted cybersecurity experts to understand what happened, support our customers, and restore the connections you rely on," wrote Klue CEO Jason Smith.
Klue confirms OAuth tokens were stolen through a legacy credential
Market intelligence platform Klue has acknowledged a security incident that allowed attackers to obtain OAuth tokens used to connect Klue to customers' third‑party platforms, including Salesforce. In its public statement, Klue said an investigation determined the attacker "gained access through a compromised legacy credential associated with an integration service" and used that access to "obtain OAuth tokens" and access data within connected customer environments.
Klue said it immediately revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, launched an investigation, notified law enforcement, and engaged CrowdStrike to assist with the response. The company also stated there is currently no evidence that customer content stored directly within the Klue platform was impacted and that the incident was limited to third‑party integrations.
ReliaQuest and Huntress describe large‑scale Salesforce data theft
Independent security firms ReliaQuest and Huntress reported that attackers abused compromised Klue Battlecards integrations to steal data from multiple organizations' Salesforce CRM instances. ReliaQuest observed the attackers generating OAuth tokens and using Python scripts to query Salesforce's API over extended periods as data was exfiltrated.
Huntress disclosed that its own Salesforce environment was affected and said the stolen data included business contacts, sales communications, pricing information, and other records. Several affected organizations have warned that the stolen business contact information could be used in follow‑on phishing, social‑engineering, and extortion campaigns, and urged customers to be vigilant.
Icarus extortion group publicly claims responsibility and pressures victims
After BleepingComputer and Huntress linked the incident to an extortion operation known as Icarus, the threat actors published a claim of responsibility on their data leak site. The Icarus post stated, "As you've probably already heard, Klue.com has been impacted by us recently. A number of other companies' Salesforce instances, which were partners to Klue, were exfiltrated."
Icarus additionally pressured Klue and affected organizations to contact the group through the Session messaging platform to prevent the leaking of stolen data. BleepingComputer reported the linkage after sources shared extortion emails sent to affected organizations, and Huntress independently connected the operation to Icarus through Session Messenger IDs used in the extortion emails and on the group's data leak site.
Known victims and the reported impact on their environments
Following the forensic work by ReliaQuest and Huntress and subsequent disclosures, several companies publicly acknowledged they were affected by the Klue‑linked activity. The list of organizations that have disclosed they were impacted includes Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. Almost all of those companies said the incident led to the theft of data from their Salesforce instances and did not affect their platforms, infrastructure, payment information, or internal systems.
How security teams and affected organizations are responding
- Security teams: Investigations by ReliaQuest and Huntress show attackers used stolen OAuth credentials and automated scripts to query Salesforce APIs, prompting responders to revoke tokens, remove unauthorized code, and disable impacted integrations — steps Klue reported taking immediately after discovery.
- Affected enterprises and customers: Several organizations have warned customers about potential follow‑on phishing and extortion using stolen business contact data and have urged vigilance. Law enforcement notifications and third‑party incident response engagements (CrowdStrike in Klue's case) were also reported.
The incident illustrates a specific, consequential chain: a compromised legacy credential in an integration service led to the creation of OAuth tokens, which enabled sustained API queries and exfiltration from customer Salesforce instances. Klue's mitigation steps — token revocation, disabling integrations, removal of unauthorized code, and external forensics — address the immediate vector. Whether those actions will prevent further dissemination of the stolen material rests, for now, with ongoing investigations, law enforcement, and the extortion group's public posture on its data leak site.
Read the original BleepingComputer report: https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/
