Cloud-based software giant **Salesforce** has announced the immediate disabling of the **Klue Battlecards** app integration within its platform. This decisive action follows a security incident impacting **Klue**, a competitive intelligence company, on June 11, 2026. Organizations will be unable to connect to **Salesforce** via the **Klue** app until further notice. "**Salesforce** took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app's connection to **Salesforce**," the company stated in an alert. "This issue is limited to **Klue's** app connection and does not arise from a vulnerability within the **Salesforce** platform." ### The Icarus Breach and Data Exfiltration The incident comes as an extortion group dubbed **Icarus** successfully compromised and exfiltrated data from **Klue** customers, including cybersecurity firm **Huntress**. "The data that was copied from our **Salesforce** account includes business contacts, price quotes, and other sales-related data and messaging," **Huntress** confirmed. "No threat data, passwords, payment card information, or engineering data relating to the **Huntress** agent or telemetry we collect was affected." **Klue**, in its own update, reported detecting unauthorized activity affecting a portion of its integration infrastructure on June 12, 2026. Attackers gained access through a compromised legacy credential linked to an integration service. "The attacker used that access to obtain OAuth tokens used to connect **Klue** with certain third-party platforms, including **Salesforce**, and subsequently accessed data within a number of connected customer environments," said **Klue** CEO **Jason Smith**. "Based on our investigation to date, the incident was limited to the affected third-party platforms, and there is no evidence that customer content stored within the **Klue** platform was impacted." ### Attack Vector: OAuth Token Abuse The intrusion allowed the threat actor to push a code update capable of collecting OAuth tokens used by customers to connect **Klue** to their systems. In response, **Klue** has revoked affected credentials and tokens, removed unauthorized code, stopped remote access, disabled potentially impacted integrations, and launched a comprehensive investigation. As of June 16, 2026, some **Huntress** employees received an email with the subject line "top secret email" and a warning: "Your **Salesforce** data has been downloaded ... You have 48 hours to communicate with us. Do the right decision." "The threat actor seems to have leveraged a long-disused but still active credential to conduct the initial compromise – one that was originally created by **Klue** for them to prototype a third-party integration they later abandoned," **Klue** explained. "The threat actor then pivoted into **Klue's** infrastructure to steal the tokens used by **Klue's** customers, then used those stolen credentials to query those customers' CRM tools directly and, eventually, to exfiltrate the data." ### Icarus and Similar Campaigns Little is known about **Icarus**, which has been active since April 28, 2026, and claimed two victims to date. The data theft campaign mirrors prior attack waves by groups like **ShinyHunters** and **UNC6395**. **ReliaQuest**, in its analysis of the **Klue** integration abuse, noted similarities with the third-party OAuth-abuse playbook seen in the **Salesloft Drift** and **Gainsight** compromises that targeted **Salesforce** environments last year. "In the attacks we observed, the adversary first authenticated through a compromised **Klue** integration service account, generated OAuth tokens, and ran automated Python scripts (identifiable by Python-urllib user-agent strings)," **ReliaQuest** researchers **Thassanai McCabe** and **Alexa Feminella** stated. These scripts enumerated the organization's object catalog via `GET /services/data/v59.0/sobjects`, then looped REST API queries against the **Salesforce** query endpoint (`/services/data/v59.0/query`), paginating results for almost 24 hours. These actions are assessed as bulk data retrieval designed to pull large volumes of CRM records through the **Salesforce** REST API, including a "concentrated burst" of nearly a thousand queries in 15 minutes in one environment and an extraction window lasting over six hours in another. The exact number of **Salesforce** customers affected remains unclear, though **Klue** is reportedly communicating directly with impacted customers. "The common thread is the abuse of OAuth tokens or credentials from a trusted third-party vendor," **ReliaQuest** highlighted. "These integrations are non-human identities with persistent, often broad access to sensitive data, yet they are typically monitored far less closely than employee accounts. That gap is why a 24-hour automated query loop could run from a 'trusted' integration account without tripping the usual alarms." ### Update: Icarus Claims Responsibility, More Victims Emerge The threat actor **Icarus** has officially listed **Klue** as a victim as of June 19, 2026, confirming attribution. "As you've probably already heard, Klue.com has been impacted by us recently," a message on **Icarus**' leak site reads. "A number of other companies' **Salesforce** instances, which were partners to **Klue**, were exfiltrated. We advise **Klue** to contact us for a swift resolution, in order not to affect the companies you work with. On the other note, if **Klue** doesn't want to accommodate this request, we advise the companies who want to protect their data to contact us via Session." Following the incident, several other security vendors have publicly confirmed their impact: * **Jamf**: Impact limited to business data fields within the **Salesforce** environment. * **Recorded Future**: Impact limited to business data fields stored in their **Salesforce** database, such as client contact names and email addresses, along with certain business contract information. * **Tanium**: Compromised information includes sales account data (opportunity names and values, sales-related messaging) and business contact information stored in **Salesforce** (names, job titles, email addresses, and in some cases phone numbers, social media contact details, and business addresses). "SaaS supply chain breaches are accelerating," **Obsidian Security** commented. "Threat actors have shifted from targeting individual organizations to targeting the SaaS vendors those organizations trust, because compromising one vendor means access to hundreds of enterprise environments at once." "When the attacker gained access to **Klue's** OAuth tokens, they didn't need a password, an MFA code, or a phished employee. They had the token. From **Salesforce's** perspective, that token is **Klue**. So access was granted and CRM records were queried at scale. Login activity did occur, but it came from infrastructure with no connection to **Klue's** legitimate environment."