Klue confirms – Klue says an attacker accessed part of its integration infrastructure on June 12, stole OAuth tokens used to reach customer Salesforce environments, and used them to exfiltrate third‑party data. The Icarus extortion group now publicly claims responsibility, an
The day Klue spotted unauthorized activity. the clock started ticking for the companies that trust its platform to connect their data to third‑party systems. On June 12. Klue identified unauthorized activity affecting part of its integration infrastructure—an intrusion that would later be tied to stolen OAuth tokens used to reach customer Salesforce environments.
Klue’s chief executive. Jason Smith. said the company has been working with cybersecurity experts since then to understand what happened. support customers. and restore the connections they rely on. In his statement. Smith wrote that the investigation found the attacker gained access through a compromised legacy credential tied to an integration service.
From there. the breach followed a route that’s hard for normal security teams to spot in real time: the attacker used that access to obtain OAuth tokens used to connect Klue with certain third‑party platforms. including Salesforce. and then accessed data within a number of connected customer environments. Smith also said there is currently no evidence that customer content stored directly within the Klue platform was impacted. and that the incident was limited to third‑party integrations.
Klue says it moved quickly once the activity was identified. It revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, launched an investigation, and notified law enforcement. The company also confirmed it engaged CrowdStrike to assist with the response.
The details that emerged after Klue’s confirmation were already unsettling. Huntress and ReliaQuest had described how attackers abused compromised Klue Battlecards integrations to steal Salesforce CRM data from multiple organizations. Their findings pointed to a pattern that looks like normal application access—OAuth tokens and scripted API calls—used for something far less routine: extended periods of data theft.
ReliaQuest reported that the attackers generated OAuth tokens and used Python scripts to query Salesforce’s API for extended periods as data was stolen. Huntress then disclosed that its own Salesforce environment was affected by the Klue breach. and that the stolen data included business contacts. sales communications. pricing information. and other records.
What makes the situation sting is how closely it tracks the trust relationships between businesses and the tools that connect their systems. Klue’s incident wasn’t a smash‑and‑grab against its own storage; it was access through the door Klue opens into customer environments.
And now, that door has another name attached to it: Icarus.
The Icarus extortion group has publicly claimed responsibility on its data leak site. The post says, “As you’ve probably already heard, Klue.com has been impacted by us recently. A number of other companies’ Salesforce instances, which were partners to Klue, were exfiltrated.”
In the same message. Icarus says it pressured Klue and affected organizations to contact it through the Session messaging platform to prevent the leaking of stolen data. The claim arrives after earlier reporting tied the activity to Icarus. with BleepingComputer and Huntress previously linking the incident to the extortion operation through extortion emails and Session Messenger IDs used in those messages and on the group’s data leak site.
Since then, additional victims have disclosed that they were affected by the attacks. Organizations named in disclosures include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.
Almost all of the disclosed impacts follow the same outline: data was stolen from their Salesforce instances, while their platforms, infrastructure, payment information, and internal systems were not affected.
Still. security teams are warning customers not to focus only on what was taken—and instead think about what comes next. Several organizations warned that stolen business contact information could be used in follow‑on phishing. social engineering. and extortion campaigns. and urged customers to be vigilant.
Klue’s disclosure has turned a growing list of victims into a clearer picture: OAuth tokens meant to power integrations were used to reach customer Salesforce data. and the Icarus group now says it exfiltrated that third‑party information. For businesses. the immediate question is no longer whether the access happened. but how quickly the stolen contacts and records will be weaponized beyond the original breach.
Klue OAuth breach Salesforce integration Icarus extortion cybersecurity incident OAuth tokens Battlecards Huntress ReliaQuest CrowdStrike Session messaging platform data exfiltration phishing risk