Klue OAuth breach linked to ‘Icarus’ Salesforce data theft attack

Market intelligence platform Klue suffered an OAuth breach that allowed the “Icarus” attackers to steal Salesforce CRM knowledge from a number of organizations in an ongoing extortion marketing campaign.

Yesterday, sources spoke to BleepingComputer concerning the assault, saying that various organizations had their Salesforce knowledge stolen and at the moment are being extorted by a comparatively new extortion group.

Cybersecurity firms ReliaQuest and Huntress have each launched experiences confirming the safety incident, with Huntress saying its Salesforce knowledge was stolen within the assault.

Salesforce later disabled the Klue Battlecards integration on its platform whereas it investigated the breach.

Salesforce warned yesterday: “To guard our clients, as a part of our response to latest safety incidents, we now have disabled the connection between the Klue Battlecards app put in by particular person clients and Salesforce.”

“Consequently, your group will not be capable to connect with Salesforce by way of this app till additional discover.”

When you have details about this incident or different undisclosed assaults, please contact us confidentially by way of Sign at 646-961-3731 or suggestions@bleepingcomputer.com.

Stolen OAuth credentials used to steal Salesforce knowledge

ReliaQuest introduced that an attacker gained entry to the Klue Battlecards integration service account and used an OAuth token related to a buyer’s Salesforce occasion to carry out knowledge theft.

Researchers noticed attackers producing OAuth tokens and utilizing automated Python scripts to question Salesforce’s REST API for practically 24 hours.

This exercise began by scouting the group’s Salesforce occasion by way of the “/companies/knowledge/v59.0/sobjects” endpoint earlier than extracting knowledge utilizing “/companies/knowledge/v59.0/question”.

For one group, ReliaQuest mentioned, attackers slowly mapped Salesforce objects to determine worthwhile objects, then stole knowledge as quickly as they knew what they wished.

“The attacker then attacked the identical endpoint, sending nearly 1,000 queries in a 15-minute interval in at the least one atmosphere,” ReliaQuest defined.

“Whereas the preliminary section was a sluggish, regular pull designed to mix in, this burst traded stealth for pace, suggesting both time stress or a transition to a focused document. In one other case, the spill was noticed over a six-hour interval.”

Researchers mentioned the exercise was similar to earlier Salesforce third-party built-in knowledge theft assaults by the ShinyHunters extortion group, however they had been unable to attribute the assault to the attackers.

Nevertheless, BleepingComputer realized yesterday that ShinyHunters was not behind the assault, however a comparatively new menace actor referred to as “Icarus” who had already begun sending extortion request emails to Klue clients affected by the breach.

The ransom observe shared with BleepingComputer states that the e-mail was despatched utilizing the alias ‘mr bean’ and included a session messenger ID to contact.

The menace actor’s knowledge leak web site additionally features a message hinting at an extortion marketing campaign in a easy publish titled “Get Prepared,” which states, “Large armies are listed. Prepare.”

Icarus is believed to have been launched in April 2026 and initially listed two victims on its leak web site, however BleepingComputer has realized that at the least one in every of these victims is related to the Klue marketing campaign. The corporate has now been faraway from the information breach web site, probably indicating that negotiations are ongoing.

Right now, Huntress revealed that it was one of many organizations affected by the Klue breach and confirmed that it had acquired extortion emails much like these seen on BleepingComputer. Nevertheless, the session ID utilized in subsequent emails was totally different and was as an alternative the one listed on the Icarus knowledge breach web site, additional revealing that they had been behind the assault.

“Within the first e mail, the adversary urged ‘advising you to jot down to us in session,'” Huntress reported.

“The session messenger IDs they offered matched the identical values ​​contained in a leaked darkish website online for a brand new extortion group known as ‘Icarus.’”

Huntress mentioned Crews informed clients that the attackers first compromised the corporate’s backend programs after which pushed a malicious code replace that stole OAuth tokens that clients used to combine Battlecards merchandise with third-party platforms.

The attackers reportedly used dormant however nonetheless lively credentials created by Klue to combine the prototype. After accessing Klue’s atmosphere, they stole the client’s OAuth token and used it to straight question the related Salesforce atmosphere.

Klue then disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Refrain, Clari, Google Drive, and Slack whereas responding to the incident.

Huntress mentioned the stolen knowledge included CRM-related info equivalent to enterprise contacts, gross sales communications, worth quotes, aggressive intelligence experiences, and account knowledge.

The cybersecurity firm mentioned there isn’t a proof that its menace intelligence, buyer telemetry, passwords, cost card info or engineering programs had been compromised.

Each ReliaQuest and Huntress have shared IP addresses linked to their assaults under.

138.226.246.94
212.86.125.24
213.111.148.90
94.154.32.160

Organizations utilizing the Klue integration are inspired to overview Salesforce and associated SaaS logs for exercise originating from these addresses, revoke and rotate OAuth tokens, terminate lively classes, and overview Salesforce logs for uncommon API exercise.