Market intelligence platform Klue had an OAuth breach that allowed “Icarus” threat actors to steal Salesforce CRM data from multiple organizations in an ongoing phishing campaign.
Sources told BleepingComputer about yesterday’s attack, telling us that many organizations had their Salesforce data stolen and were now being victimized by a new fraud group.
Cybersecurity firms ReliaQuest and Huntress both published reports confirming the security incident, with Huntress saying its Salesforce data was stolen in the attack.
Salesforce has since blocked the integration of Klue Battlecards on its site while the breach is investigated.
“To protect our customers, Salesforce has disabled communication between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to the latest security incident,” Salesforce warned yesterday.
“As a result, organizations will not be able to connect to Salesforce through this app until further notice.”
If you have information about this incident or other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or tips@bleepingcomputer.com.
Stolen OAuth credentials used to steal Salesforce data
ReliaQuest said the attackers gained access to the accounts of aggregation service Klue Battlecards and used OAuth tokens associated with customers’ Salesforce instances to steal data.
Researchers observed malicious actors generating OAuth tokens and then using automated Python scripts to query Salesforce’s REST API for approximately 24 hours.
The task started with a re-examination of the organization’s Salesforce instances with the ‘/services/data/v59.0/sobjects’ repository before filtering the data using ‘/services/data/v59.0/query’.
ReliaQuest said that at one of the organizations, attackers were slowly mapping their Salesforce assets to identify valuable assets and then stealing the data as soon as they knew what they were looking for.
“The attacker then hit the same target, sending nearly 1,000 queries in a 15-minute window to at least one site,” ReliaQuest explained.
“Where the first stage was a slow, steady pull designed to meet, this burst traded stealthily for speed, lifting or time pressure or shifting to record targets. In one case, immersion was seen over 6 hours.”
The researchers said the activity was very similar to third-party data theft attacks on Salesforce by the ShinyHunters hacker group, but they could not identify the attack as a threat actor.
However, BleepingComputer discovered yesterday that ShinyHunters was not the mastermind behind the attack, but a new threat actor known as “Icarus” who had already started emailing phishing demands to Klue customers affected by the breach.
The ransom note shared with BleepingComputer showed that the emails were sent using the alias “mr bean” and included a Session Messenger ID to contact them.
Source: BleepingComputer
The threat actor’s data leak site also contains a message suggesting a phishing campaign in a simple post titled “Get ready,” which says, “major forces are being enlisted. get ready.”
Source: BleepingComputer
Icarus is believed to have launched in April 2026, and initially claimed two victims in its leak, and BleepingComputer learned that at least one of these victims is connected to the Klue campaign. That company has now been removed from the site of the data leak, which may indicate that negotiations are ongoing.
Today, Huntress revealed that it was among the organizations affected by the Klue breach, confirming that they received the same phishing email as seen by BleepingComputer. However, the Session ID used in the later emails was different and was instead the one listed on the Icarus data leak site, providing more evidence that they were behind the attack.
“In the first email, the enemy suggests, ‘we advise you to write to us in Session’ (sic),” Huntress reported.
“The Messenger Session ID they provided matches the same values posted on the dark web leak of a new fraud group called ‘Icarus.’
According to Huntress, Klue told customers that the attackers first compromised the company’s back-end systems and pushed a malicious code update that stole OAuth tokens used by customers to integrate the Battlecards product with third-party platforms.
The attackers reportedly used a silent but still valid certificate created by Klue to compile the prototype. After accessing Klue’s environment, they stole the customer’s OAuth tokens and used them to directly query Salesforce’s connected environments.
Klue later disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while responding to the incident.
Huntress said the stolen data included CRM-related information, including business contacts, marketing communications, price quotes, competitive intelligence reports, and account data.
The cybersecurity firm said there was no evidence that intelligence, customer telemetry, passwords, payment card information, or engineering systems were compromised.
Both ReliaQuest and Huntress shared the IP addresses linked to the attack, listed below:
138.226.246.94
212.86.125.24
213.111.148.90
94.154.32.160Organizations using Klue integrations are advised to update Salesforce and related SaaS logs for activity from these addresses, revoke and rotate OAuth tokens, terminate active sessions, and update Salesforce logs for unusual API activity.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
