THE extortion group Icarus has published Salesforce data taken from dozens of organisations after compromising OAuth tokens belonging to the Klue Battlecards integration, a development confirmed by Huntress, LastPass and Klue itself.
According to a Klue advisory, attackers gained unauthorized access to the company’s integration layer and harvested OAuth tokens that grant trusted access to customer Salesforce environments as reported by Huntress. With those tokens the threat actors ran rapid queries against Salesforce instances over a concentrated 24‑hour window, extracting CRM records without triggering conventional alerts.
No CVE has been assigned to the incident, but the abuse stems from a flaw in how Klue managed token storage and rotation for its Battlecards app as noted in Salesforce’s status page. Klue’s CEO disclosed the breach on 12 June, admitting that the stolen tokens allowed adversaries to read, and in some cases export, contact, opportunity and case data from affected tenants.
Icarus has claimed responsibility and issued extortion notices, threatening to leak additional datasets unless demands are met per Databreaches.net. The group’s public statements have raised alarm across the technology and cybersecurity sectors, highlighting the reach of supply‑chain risks in SaaS ecosystems.
This episode follows a string of similar breaches where trusted third‑party applications were leveraged to pivot into core cloud services, reinforcing concerns about token hygiene and integration oversight. Security teams are urged to treat any unexpected surge in Salesforce API calls as a potential indicator of compromise.
Defenders should immediately revoke all OAuth tokens issued to Klue’s Battlecards app and rotate any connected‑app credentials within Salesforce as advised by LastPass. Reviewing login history for anomalous query patterns, enforcing multi‑factor authentication on integration accounts and tightening token scopes to the minimum required privilege are prudent next steps.
Organisations should also consider disabling non‑essential third‑party apps until vendors publish thorough security patches, implement anomaly‑based monitoring for API usage and reassess vendor risk management programmes to include regular token‑rotation checks. These measures can help limit the fallout from similar supply‑chain incidents in the future.