Klue Security Breach: Icarus Group Steals Salesforce Data via OAuth Tokens

Market intelligence platform Klue confirmed a security breach involving the theft of OAuth tokens, which allowed the Icarus extortion group to access customer Salesforce environments. According to Klue CEO Jason Smith, the unauthorized access stemmed from a compromised legacy credential within the company’s integration infrastructure. Security firms Huntress and ReliaQuest report that attackers used these tokens to exfiltrate sensitive business data from multiple organizations, marking a significant shift in how third-party integrations are being leveraged as conduits for large-scale corporate data theft.

How did the Icarus group execute the attack?

The Icarus extortion group bypassed standard security measures by targeting the trust relationship between Klue and its customers’ Salesforce instances. According to ReliaQuest, the attackers generated new OAuth tokens and utilized Python scripts to query the Salesforce API systematically. By masquerading as legitimate integration services, the actors maintained access for extended periods. Huntress confirmed that the breach resulted in the exposure of proprietary records, including sales communications, pricing structures, and contact databases from several high-profile companies, such as Recorded Future, Tanium, and Jamf.

Why are third-party integrations a growing security risk?

This incident highlights a broader trend: the “supply chain” of SaaS integrations is becoming a primary target for threat actors. While companies often focus on hardening their own primary infrastructure, integrations—which rely on OAuth tokens for seamless connectivity—often operate with high-level permissions. According to security researchers at Huntress, once an attacker gains control of a token, they can bypass multi-factor authentication (MFA) on the target platform because the connection is already considered “authenticated” by the system. This creates a blind spot where security teams may not see the malicious activity occurring within a trusted partner environment.

Why the Salesforce Data Breach Is Still a Risk for Salesforce Admins

Pro Tip: Regularly audit your “Connected Apps” list in Salesforce and other CRM platforms. Revoke tokens for services that are no longer in use or that you do not actively monitor for unusual API query patterns.

What are the long-term consequences of this data theft?

The theft of business contact information and sales communications creates a specific risk for follow-on attacks. As noted by several affected organizations, this data is highly valuable for crafting sophisticated phishing and social engineering campaigns. Because the stolen data includes authentic business records, attackers can impersonate vendors or partners with extreme accuracy. This shift suggests that extortion groups are moving away from simple encryption-based ransomware and toward “data-only” extortion, where the threat is not the loss of systems, but the public release of competitive intelligence.

Frequently Asked Questions

Was the core Klue platform compromised? No. Klue stated that there is no evidence of unauthorized access to customer content stored directly within the Klue platform; the incident was isolated to third-party integrations.
How did Icarus contact victims? The group used the Session messaging platform to communicate with affected organizations, demanding payment to prevent the leakage of stolen data.
What should affected organizations do? Experts recommend rotating all OAuth tokens, reviewing API logs for anomalous query volumes, and notifying potentially impacted customers if their contact information was part of the exfiltrated records.

Did you know? A recent Picus Security whitepaper suggests that security teams only successfully log about 54% of successful attacks, leaving nearly half of all unauthorized activities to move through an environment completely unseen.

Are you concerned about the security of your third-party SaaS integrations? Subscribe to our weekly cybersecurity briefing for actionable advice on hardening your cloud infrastructure against modern extortion threats.