KLUE confirmed a breach that exposed OAuth tokens used to access customer Salesforce environments, prompting alerts across several cybersecurity firms. The incident was detailed by Huntress in a blog post detailing the compromise.
The intrusion began with a legacy credential that was reused across Klue’s internal systems, allowing attackers to harvest OAuth tokens for the Battlecards integration with Salesforce. This gave the threat actors a foothold without triggering any known vulnerability identifiers.
Those tokens granted the intruders read‑and‑write access to linked CRM records, enabling them to extract contact lists, opportunity data and internal notes without raising multi‑factor alarms. The method relied solely on token abuse rather than exploiting a software flaw.
The activity has been attributed to a newly identified group calling itself Icarus, which has already contacted Klue with demands and threatened to publish the stolen data if its conditions are not met. Researchers note that the group is leveraging the stolen tokens to explore further access within the compromised Salesforce tenants.
Several firms that rely on Klue’s market intelligence, including Huntress, ReliaQuest, Recorded Future, Jamf and Tanium, have warned that the leaked tokens could be reused in phishing campaigns or to pivot into other SaaS applications linked to the compromised Salesforce instances. The breach highlights how a single integration point can become a conduit for broader data exposure.
Defenders should immediately revoke any OAuth tokens issued through Klue’s Battlecards connector, force re‑authorization of Salesforce connections and review login logs for unusual access patterns. Enforcing MFA where possible and monitoring for credential reuse across other services are also recommended steps to limit the fallout.