Klue, a competitive intelligence platform, experienced a security breach involving OAuth credentials. This allowed a threat group known as “Icarus” to steal Salesforce CRM data from several companies as part of an active extortion scheme.
Yesterday, sources informed BleepingComputer that multiple organizations had their Salesforce data pilfered and are now facing extortion demands from this relatively new criminal group.
Both ReliaQuest and Huntress, two cybersecurity companies, have released reports verifying the incident. Huntress confirmed that its own Salesforce data was compromised in the attack.
Salesforce has temporarily deactivated the Klue Battlecards integration on its platform while the breach is under investigation.
“As a precautionary measure, Salesforce has severed the connection between the Klue Battlecards application—which was installed by individual customers—and our platform. This action is part of our response to a recent security event,” Salesforce stated yesterday.
“Consequently, organizations will be unable to link to Salesforce through this application until further notice.”
If you possess any details about this incident or other unreported attacks, please reach out to us securely via Signal at 646-961-3731 or email us at tips@bleepingcomputer.com.
Stolen OAuth tokens leveraged to extract Salesforce data
According to ReliaQuest, the attackers accessed service accounts linked to the Klue Battlecards integration. They then utilized OAuth tokens tied to customers’ Salesforce instances to carry out the data theft.
The security researchers noted that the threat actors created OAuth tokens and subsequently employed automated Python scripts to query Salesforce’s REST API for nearly a full day.
The operation started with reconnaissance of an organization’s Salesforce instances via the ‘/services/data/v59.0/sobjects’ endpoint, followed by data extraction using the ‘/services/data/v59.0/query’ endpoint.
ReliaQuest explained that in one case, the attackers methodically mapped out the organization’s Salesforce objects to pinpoint valuable data before quickly extracting it once they identified their targets.
“The attacker then targeted the same endpoint, sending close to a thousand queries within a 15-minute span in at least one environment,” ReliaQuest detailed.
“While the initial phase involved a slow, steady extraction intended to avoid detection, this sudden burst prioritized speed over stealth, indicating either time constraints or a focus on specific records. In another instance, the data theft occurred over a six-hour period.”
The researchers noted that the tactics closely mirrored previous Salesforce third-party integration attacks conducted by the ShinyHunters extortion group, though they could not definitively link the attacks to that specific actor.
However, BleepingComputer discovered yesterday that ShinyHunters was not responsible. Instead, a newer threat actor called “Icarus” is behind the campaign and has already begun sending extortion emails to Klue customers affected by the breach.
A ransom note provided to BleepingComputer revealed that the emails were sent under the alias “mr bean” and included a Session Messenger ID for contact.
Source: BleepingComputer
The group’s data leak site also features a post titled “Get Ready,” which hints at the extortion campaign with the message: “big corps getting listed. be ready.”
Source: BleepingComputer
Icarus is believed to have emerged in April 2026 and initially posted two victims on its leak site. BleepingComputer learned that at least one of these victims is connected to the Klue campaign. That company has since been removed from the leak site, possibly suggesting that negotiations are in progress.
Today, Huntress revealed that it was among the organizations affected by the Klue breach, confirming that it received a similar extortion email to the one seen by BleepingComputer. However, the Session ID in later emails differed and matched the one listed on the Icarus data leak site, providing further evidence linking the group to the attack.
“In the initial email, the adversary wrote, ‘we advice you to write to us on Session’ (sic),” Huntress reported.
“The Session Messenger ID they provided aligned with the values posted on the dark web leak site of a new extortion group named ‘Icarus.'”
Huntress stated that Klue informed customers that attackers first breached the company’s backend systems and then deployed a malicious code update designed to steal OAuth tokens used by customers to integrate the Battlecards product with third-party platforms.
The attackers reportedly exploited a dormant but still valid credential created by Klue for a prototype integration. After infiltrating Klue’s environment, they stole customer OAuth tokens and used them to directly access connected Salesforce environments.
Klue subsequently disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack as part of its incident response.
According to Huntress, the stolen data includes CRM-related information such as business contacts, sales communications, price quotes, competitive intelligence reports, and account data.
The cybersecurity firm confirmed there was no evidence that threat intelligence data, customer telemetry, passwords, payment card details, or engineering systems were compromised.
Both ReliaQuest and Huntress have shared IP addresses associated with the attacks, listed below:
138.226.246.94
212.86.125.24
213.111.148.90
94.154.32.160Organizations utilizing Klue integrations are advised to examine Salesforce and related SaaS logs for activity originating from these IP addresses, revoke and rotate OAuth tokens, terminate active sessions, and review Salesforce logs for any unusual API activity.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
