A significant security incident has impacted market intelligence platform **Klue**, leading to the theft of **Salesforce CRM** data from numerous organizations. The breach, attributed to a relatively new extortion group dubbed 'Icarus,' leverages stolen OAuth credentials to access and exfiltrate sensitive customer information. Cybersecurity firms **ReliaQuest** and **Huntress** have both published reports confirming the incident, with **Huntress** explicitly stating that its own **Salesforce** data was compromised in the attack. In response to the breach, **Salesforce** has taken immediate action, disabling the connection between the **Klue Battlecards** app and its platform. "To protect our customers, **Salesforce** has disabled the connection between the **Klue Battlecards** app, installed by individual customers, and **Salesforce** as part of our response to a recent security incident," **Salesforce** warned, adding that organizations will be unable to connect via the app until further notice. ## Stolen OAuth Credentials Fuel Data Theft **ReliaQuest**'s investigation revealed that the attackers gained access to **Klue Battlecards** integration service accounts. They then used associated OAuth tokens for customer **Salesforce** instances to carry out the data theft. Researchers observed the threat actors generating OAuth tokens and employing automated Python scripts to query **Salesforce**'s REST API for nearly 24 hours. The attack began with reconnaissance, mapping an organization's **Salesforce** instances through the `/services/data/v59.0/sobjects` endpoint, before proceeding to exfiltrate data using the `/services/data/v59.0/query` endpoint. **ReliaQuest** noted that in one instance, attackers meticulously mapped **Salesforce** objects to identify valuable data before rapidly exfiltrating it. "The attacker then hit the same endpoint, sending almost a thousand queries in a 15-minute window in at least one environment," **ReliaQuest** explained. "Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records. In another case, the exfiltration was observed over 6 hours." While the activity bore resemblance to previous **Salesforce** third-party integration attacks by the **ShinyHunters** extortion group, sources indicate that **ShinyHunters** is not behind this particular campaign. Instead, the 'Icarus' group is responsible, having already initiated extortion demands to affected **Klue** customers. ## 'Icarus' Extortion Campaign Underway Extortion emails, sent under the alias "mr bean," include a **Session Messenger ID** for victims to contact the threat actors. The 'Icarus' data leak site also features a ominous message hinting at the campaign: "Get Ready," stating, "big corps getting listed. be ready."   **Icarus** is believed to have launched in April 2026. **Huntress** confirmed it was among the impacted organizations, receiving a similar extortion email, which further solidified the attribution to **Icarus**. According to **Huntress**, **Klue** informed customers that attackers initially compromised **Klue**'s backend systems. They then pushed a malicious code update designed to steal OAuth tokens used by customers to integrate the **Battlecards** product with third-party platforms. The attackers reportedly exploited a dormant but active credential created by **Klue** for a prototype integration. After gaining access to **Klue**'s environment, they stole customer OAuth tokens and used them to directly query connected **Salesforce** environments. **Klue** has since disabled integrations with **Salesforce**, **HubSpot**, **SharePoint**, **Zoom**, **Gong**, **Chorus**, **Clari**, **Google Drive**, and **Slack** as part of its incident response. **Huntress** noted that the stolen data includes CRM-related information such as business contacts, sales communications, price quotes, competitive intelligence reports, and account data. Crucially, there was no evidence of compromise to threat intelligence, customer telemetry, passwords, payment card information, or engineering systems. ## Recommended Actions Both **ReliaQuest** and **Huntress** have shared IP addresses associated with the attacks: * `138.226.246.94` * `212.86.125.24` * `213.111.148.90` * `94.154.32.160` Organizations utilizing **Klue** integrations are strongly advised to: * Review **Salesforce** and related SaaS logs for activity originating from these IP addresses. * Revoke and rotate OAuth tokens associated with **Klue** integrations. * Terminate active sessions. * Review **Salesforce** logs for any unusual API activity.