Icarus Group Steals Salesforce Data via Klue OAuth Breach
Threat actor group Icarus exploited an OAuth breach in the Klue Battlecards app to access and exfiltrate Salesforce CRM data from multiple customer organizations, including cybersecurity firm Huntress. Stolen information includes business contacts, sales communications, price quotes, and competitive intelligence. The campaign represents an ongoing supply-chain style attack on Salesforce integrations.
- salesforce data
- business contacts
- sales records
A threat actor group known as Icarus stole Salesforce customer data by exploiting an OAuth vulnerability in the Klue Battlecards application, gaining access to business contacts, sales records, communications, price quotes, and competitive intelligence from multiple organizations, including the cybersecurity company Huntress.
Public reporting from BleepingComputer and Dark Reading confirms the incident occurred through a supply-chain attack on the Klue app, which integrates with Salesforce CRM platforms. The attackers used compromised OAuth tokens to exfiltrate data without directly breaching Salesforce itself. Affected organizations remain undisclosed in full, and the precise number of individuals whose contact or sales information was taken is unknown. The campaign is described as ongoing, highlighting how third-party integrations can serve as entry points for broader data theft.
Want the rest of this breakdown?
Sign up free to keep reading. Members get extended access, the weekly breach digest, and a complimentary Warden™ to see if their identity is exposed in the breaches we cover.
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →