What happened
Market intelligence platform Klue confirmed a security incident after attackers gained access to part of its integration infrastructure and stole OAuth tokens used to connect customer environments to third-party platforms, including Salesforce.
The disclosure follows reports from Huntress and ReliaQuest describing attacks in which compromised Klue Battlecards integrations were used to access Salesforce CRM data belonging to multiple organizations.
Klue said it discovered the unauthorized activity on June 12. According to the company, the attackers gained access through a compromised legacy credential associated with an integration service. They then obtained OAuth tokens used to connect Klue with customer Salesforce environments and accessed data within a number of connected organizations.
Klue said there is no evidence that customer content stored directly within the Klue platform was affected. The company stated that the incident was limited to third-party integrations. After discovering the breach, Klue revoked affected credentials and OAuth tokens, removed unauthorized code, disabled impacted integrations, engaged CrowdStrike to assist with the investigation, and notified law enforcement.
The incident has since been claimed by the relatively new Icarus extortion group. The attackers posted Klue on their leak site and claimed they had exfiltrated Salesforce data from multiple organizations connected to Klue. They also threatened to extort affected companies individually if Klue did not reach an agreement with them.
Several organizations have since confirmed they were affected by the incident, while Salesforce disabled the Klue Battlecards integration as the investigation continues.
Who is affected
Klue customers using the Battlecards Salesforce integration are directly affected.
Organizations that connected Salesforce to Klue through OAuth integrations may have had CRM data accessed through stolen OAuth tokens. Multiple companies have already confirmed they were impacted, while others continue to investigate the scope of the incident.
The affected data varies by organization but may include Salesforce CRM records such as business contacts, sales communications, subscription information, opportunity notes, and other customer relationship data.
Why CISOs should care
This incident demonstrates the growing risk posed by third-party OAuth integrations. Rather than attacking Salesforce directly, the attackers compromised an integration provider, stole OAuth tokens, and used those trusted connections to access customer CRM environments.
For CISOs, OAuth tokens should be treated with the same level of protection as privileged credentials. Once compromised, they can provide persistent access to cloud platforms without requiring traditional username and password theft.
The attack also highlights software supply chain risk in SaaS ecosystems. Organizations may have strong security controls around their primary cloud platforms but remain exposed through connected third-party applications with broad permissions.
Finally, the incident illustrates how modern extortion groups are evolving. Rather than targeting only the software provider, Icarus threatened to extort individual downstream victims whose Salesforce data was allegedly accessed through the compromised integration.
3 practical actions
- Audit and minimize OAuth application permissions: Review all third-party OAuth integrations connected to business platforms such as Salesforce. Remove unused applications, limit permissions to the minimum required, and regularly review granted access.
- Rotate OAuth tokens after third-party security incidents: Klue revoked affected credentials and OAuth tokens after discovering the compromise. Organizations using affected integrations should revoke existing tokens, reauthorize trusted applications, and review authentication logs for suspicious API activity.
- Monitor cloud platforms for abnormal API activity: Attackers used stolen OAuth tokens to access Salesforce data through legitimate APIs. Security teams should monitor API usage, bulk data exports, unusual application behavior, and unexpected access originating from third-party integrations.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.