Klue OAuth – The market intelligence platform Klue says it is responding after an OAuth breach allowed the “Icarus” extortion group to steal Salesforce CRM data from multiple organizations. Salesforce disabled Klue Battlecards integration as investigators trace how attacke
For days, the extortion emails kept landing. Then Salesforce quietly pulled the plug on a connection that lets Klue Battlecards customers sync data into their accounts—an emergency response that followed a breach tied to stolen OAuth tokens.
Klue. a market intelligence platform. suffered an OAuth breach that enabled the “Icarus” threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign. Cybersecurity firms ReliaQuest and Huntress both published reports confirming the security incident. Huntress said its own Salesforce data was stolen.
ReliaQuest reported that attackers gained access to Klue Battlecards integration service accounts and then used OAuth tokens associated with customer Salesforce instances to carry out data theft. In its investigation. the firm said it observed the threat actors generating OAuth tokens and then using automated Python scripts to query Salesforce’s REST API for nearly 24 hours.
The activity started with reconnaissance. Attackers probed an organization’s Salesforce instances through the endpoint “/services/data/v59.0/sobjects. ” before exfiltrating data using “/services/data/v59.0/query.” In one case. ReliaQuest said the threat actors slowly mapped out Salesforce objects to find valuable targets—then shifted into a rapid pull once the objects were identified. In another environment, the exfiltration was observed over 6 hours.
One particularly sharp window stood out: ReliaQuest said the attackers hit the same endpoint. sending almost a thousand queries in a 15-minute window in at least one environment. The firm described the earlier phase as “slow. steady pull designed to blend in. ” followed by a burst that traded stealth for speed. suggesting time pressure or a shift to targeted records.
Researchers noted the activity closely resembled previous Salesforce third-party integration data theft attacks by the ShinyHunters extortion group. but they were unable to attribute the campaign to ShinyHunters. Even so, BleepingComputer learned that ShinyHunters was not behind this attack. The extortion emails were instead traced to a newer extortion group known as “Icarus. ” which had already begun emailing Klue customers impacted by the breach.
The ransom note shared with BleepingComputer showed the emails were sent using the alias “mr bean,” and they included a Session Messenger ID to contact the attackers. On the Icarus data leak site, there was also a simple post titled “Get Ready,” stating: “big corps getting listed. be ready.”
Icarus is believed to have launched in April 2026. When it first went live. its leak site listed two victims. and BleepingComputer learned that at least one of those victims is connected to the Klue campaign. That Klue-related victim has since been removed from the data leak site, a change that may indicate negotiations are underway.
Huntress said it received an extortion email similar to the one shown earlier. but it provided an important mismatch: the Session ID used in later emails was different and instead matched the Session ID listed on the Icarus leak site. Huntress also reported that Klue told customers attackers first compromised Klue’s backend systems and then pushed a malicious code update that stole OAuth tokens customers use to integrate the Battlecards product with third-party platforms.
According to Huntress, the attackers used a dormant but still active credential created by Klue for a prototype integration. After gaining access to Klue’s environment, Huntress said the attackers stole customer OAuth tokens and used them to query connected Salesforce environments directly.
As Klue and security teams dealt with the fallout, Salesforce disabled the Klue Battlecards integration. In a warning shared yesterday. Salesforce said it disabled “the connection between the Klue Battlecards app. installed by individual customers. and Salesforce as part of our response to a recent security incident.” Salesforce added that “organizations will not be able to connect to Salesforce via this app until further notice.”.
Klue later disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while responding to the incident.
Huntress and ReliaQuest described the stolen information as CRM-related and focused on customer-facing business details. Huntress said the stolen data includes business contacts, sales communications, price quotes, competitive intelligence reports, and account data.
At the same time, Huntress said there was no evidence that threat intelligence, customer telemetry, passwords, payment card information, or engineering systems were compromised.
The technical evidence also pointed to specific source IP addresses used during the activity. Both ReliaQuest and Huntress shared IP addresses linked to the attacks: 138.226.246.94, 212.86.125.24, 213.111.148.90, and 94.154.32.160.
Security teams are now advising organizations using Klue integrations to review Salesforce and related SaaS logs for activity originating from those addresses. They are also urging teams to revoke and rotate OAuth tokens. terminate active sessions. and review Salesforce logs for unusual API activity.
For Klue’s customers, the disruption is immediate—and the question is no longer just what was taken, but how quickly systems can be tightened when a third-party integration becomes the doorway.
Klue OAuth breach Icarus extortion Salesforce CRM Battlecards OAuth tokens ReliaQuest Huntress cybersecurity data theft API exfiltration extortion emails Session Messenger ID