Market intelligence platform Klue has disclosed a breach through its OAuth integration that allowed a threat group tracked as "Icarus" to exfiltrate Salesforce CRM data from multiple downstream organizations. The breach has been tied to an active extortion campaign targeting Klue's enterprise customer base.
What Happened
Attackers exploited OAuth tokens associated with Klue's platform integrations to gain unauthorized access to connected Salesforce instances. By abusing legitimate OAuth authorization flows, the Icarus group was able to pivot from Klue's environment into customers' CRM data — including contact records, deal pipelines, and potentially sensitive business intelligence.
The breach is described as part of an ongoing campaign, with affected organizations receiving extortion demands as the group threatens to publish or sell stolen data.
OAuth as an Attack Vector
This incident continues a growing trend of threat actors targeting OAuth integrations between SaaS platforms rather than attempting direct breaches. When a vendor like Klue holds OAuth refresh tokens with broad scopes, a single compromise can fan out across an entire customer base.
Key characteristics of the Icarus technique include:
- Token harvesting from the integration layer rather than user credentials
- Lateral movement from one SaaS platform to connected platforms via authorized app chains
- Low-noise persistence — OAuth tokens are long-lived and rarely audited for suspicious usage patterns
Impact Assessment
While Klue has not disclosed exact victim counts, the attack affected multiple enterprise customers who had Salesforce integrated via Klue's market intelligence workflows. Salesforce data exposed in these incidents typically includes:
- Sales pipeline and deal stage information
- Customer contact details and account hierarchies
- Internal notes, activity logs, and competitive intelligence
The extortion element suggests the Icarus group is prioritizing monetization over espionage — a pattern consistent with financially motivated ransomware-adjacent actors.
Mitigation Steps
Organizations using Klue or similar market intelligence platforms with Salesforce integrations should take the following actions immediately:
- Audit connected OAuth applications in Salesforce Setup → Connected Apps
- Revoke and re-issue OAuth tokens for any third-party integrations
- Review Salesforce login history and API usage logs for anomalous access
- Enable Salesforce Shield Event Monitoring if not already active
- Contact Klue for incident-specific guidance on affected tenants
Broader Context
The Icarus group joins a growing list of threat actors — including the Coinbase extortion cartel and groups behind the Grafana and GitHub breaches earlier in 2026 — that have pivoted to targeting the interconnected SaaS supply chain rather than attacking infrastructure directly.
OAuth sprawl, where enterprises accumulate dozens of third-party integrations with excessive scopes and no rotation policies, remains one of the highest-risk unmanaged attack surfaces in modern enterprise environments.
Source: BleepingComputer