Market intelligence provider Klue has confirmed a security incident involving the theft of OAuth tokens used to connect its platform with customer Salesforce environments, as a newly emerging extortion group known as “Icarus” publicly claims responsibility for the campaign. The breach has triggered a widening investigation after multiple cybersecurity firms linked the activity to compromised Klue integrations that enabled unauthorized access to customer CRM data.
Klue CEO Jason Smith stated that the company detected suspicious activity on June 12 within a portion of its integration infrastructure. According to the investigation, attackers gained access through a compromised legacy credential tied to an integration service and used it to extract OAuth tokens associated with third-party connections, including Salesforce. These tokens were then leveraged to access data within multiple customer environments connected through Klue’s integration layer.
Security researchers at Huntress and ReliaQuest reported that the attackers systematically abused the stolen OAuth credentials to query Salesforce APIs over extended periods, exfiltrating sensitive business data. In at least one confirmed case, Huntress disclosed that its own Salesforce instance was affected, with stolen information including customer contacts, sales communications, pricing data, and other business records. Klue has since revoked affected credentials, disabled compromised integrations, and brought in external incident response support while stating there is no evidence that data stored directly within its core platform was impacted.
The Icarus group has since claimed responsibility for the operation on its leak site, stating that data was stolen not only from Klue but also from multiple downstream organizations connected through Salesforce integrations. Since the initial disclosures, additional victims—including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity—have confirmed exposure, though most emphasize that only Salesforce-linked data was affected. Several companies have warned that the stolen information could be used in phishing and social engineering campaigns, urging heightened vigilance among customers and partners.
