A supply chain compromise of the market intelligence platform Klue has exposed Salesforce data belonging to about two dozen customer organisations, including several well‑known security vendors (SecurityWeek reports). Attackers exploited outdated administrator credentials to steal OAuth tokens from Klue’s Battlecards integration and then used the Salesforce REST API to download contact details, titles and email addresses. The threat actor calling itself Icarus claimed responsibility and warned that it would publish the stolen information unless a ransom was paid (Klue's advisory).
No CVE has been assigned to the incident, but researchers trace the flaw to the way Klue stored OAuth tokens for its Battlecards app, which allowed anyone with valid legacy credentials to generate tokens for the Salesforce API (Huntress details). With those tokens the attackers could query the linked CRM environments, extracting standard fields such as user names, job titles and email addresses as well as any custom fields exposed through the integration. Klue responded by disabling the Salesforce and HubSpot connections on 17 June and has not reinstated them (Salesforce status notice).
The affected organisations include names such as BeyondTrust, LastPass and AlertMedia, although Klue notes that up to 195 customers could be impacted pending a full review of its client list (databreaches.net victim list). The breach window spans roughly 11 to 12 June, with anomalous Salesforce API traffic detected by firms like Huntress and Recorded Future during that period (SecurityWeek coverage). Despite the limited number of confirmed victims, the incident highlights how a single compromised third‑party app can pivot into multiple customer environments.
Icarus has been observed posting ransom demands on underground forums, threatening to leak the harvested data unless payment is made, and some reports indicate that negotiations may have resulted in the deletion of a portion of the stolen material (SecurityWeek follow‑up). The group has not been tied to any previously known ransomware family, though its tactics resemble those seen in earlier intrusions attributed to ShinyHunters. Law enforcement agencies have been brought in to assist Klue’s investigation, which is being supported by CrowdStrike and the Huntress team.
Defenders should immediately revoke any OAuth tokens issued via the Klue Battlecards integration, force a password reset for the associated service accounts and enable multi‑factor authentication where possible. Security teams ought to examine Salesforce login histories for anomalous API calls, especially from unfamiliar IP addresses, and enforce the lowest necessary scopes on all third‑party applications. Keeping an up to date inventory of authorised integrations and conducting regular permission reviews will reduce the chance that a similar supply chain weakness can be exploited in the future.