Klue, a competitive intelligence platform used by enterprise sales teams, has publicly confirmed a security incident in which threat actors stole OAuth tokens that the platform used to connect to customers' Salesforce environments. The breach is being claimed by the Icarus extortion group, which has now publicly named the attack — and the victim list continues to grow as more organizations report exposure.
What Happened
Klue's market intelligence platform integrates directly with Salesforce CRM systems, allowing sales teams to surface competitive battlecard data alongside their deals and accounts. To enable this integration, Klue held OAuth access tokens that authorized its platform to query and read Salesforce data on behalf of customer organizations.
Attackers compromised Klue's infrastructure and exfiltrated these OAuth tokens. With the stolen tokens, they gained the ability to access the Salesforce environments of Klue's affected customers — including account records, contact data, pipeline information, and any other Salesforce objects the Klue integration had been authorized to read.
Klue has confirmed it has since revoked the compromised tokens and notified affected customers, but the window during which attackers held valid tokens allowed data to be extracted before revocation.
Icarus Claims the Campaign
The Icarus extortion group has publicly taken responsibility for the Klue breach. Icarus has been linked to a broader campaign targeting SaaS platforms that integrate with Salesforce — using compromised integration credentials to exfiltrate customer CRM data at scale before demanding ransom payments or threatening public disclosure.
This is not the first time Icarus has been connected to a breach in this campaign. The group has previously been linked to the compromise of other Salesforce-integrated applications, establishing a pattern: identify applications with broad, long-lived Salesforce OAuth access, compromise the application vendor's infrastructure, extract the tokens, and use them to pivot into the Salesforce environments of potentially hundreds of downstream customer organizations.
Security researchers tracking Icarus note that the group demonstrates strong knowledge of SaaS OAuth authentication flows and has specifically targeted competitive intelligence and sales enablement tools — categories of application that by design are granted extensive read access to Salesforce CRM data.
Growing Victim List
As of the Klue confirmation, the victim list for this specific breach is still being tallied. Several cybersecurity-adjacent organizations have already confirmed they were among Klue's Salesforce-integrated customers and are investigating what data was accessed through the stolen tokens.
The breadth of the exposure depends on two factors: how many customers had the Salesforce integration active, and what Salesforce objects and permissions those customers had granted the Klue integration. In environments where the OAuth authorization scope was broad — granting Klue access to contacts, accounts, opportunities, and custom objects — the potential data exposure is correspondingly wide.
The OAuth Sprawl Problem
The Klue breach is the latest in a series of incidents highlighting what security practitioners call SaaS-to-SaaS OAuth sprawl: the accumulation of third-party application integrations that hold persistent, broadly-scoped OAuth tokens authorizing access to core business platforms like Salesforce, Microsoft 365, and Google Workspace.
Each integration represents a new entry point. A breach at any one of them can cascade into the environments of all of that application's customers. The tokens often have no automatic expiration, meaning a stolen token remains valid until explicitly revoked — and organizations frequently have no monitoring in place to detect that their Salesforce data is being accessed through a legitimate-looking OAuth app integration.
Key factors that amplify the risk in this class of attack:
Overly permissive scopes: Many SaaS integrations request — and receive — broader Salesforce access than they strictly require. Competitive intelligence tools often request read access to all standard objects to ensure battlecard context is available wherever sales reps work.
No token rotation: OAuth tokens issued to SaaS integrations are rarely rotated. A token issued when the integration was first set up may still be valid months or years later.
Weak revocation capability: When a third-party vendor is breached, organizations often lack an established process to quickly identify and revoke all tokens for that integration, allowing attackers to continue using valid tokens even after the vendor breach is detected.
Limited audit logging: While Salesforce does provide connected app access logs, few organizations actively monitor them for anomalous bulk data access through legitimate OAuth apps.
Recommendations
Audit your Salesforce connected applications now: In Salesforce Setup → Connected Apps → OAuth Usage, review which third-party applications have active OAuth tokens. Remove any integrations that are no longer actively used.
Revoke Klue OAuth tokens immediately: If your organization uses Klue's Salesforce integration, revoke the associated OAuth token regardless of whether you have received direct notification of exposure. Revocation is risk-free and can be redone if Klue restores the integration.
Scope OAuth authorizations to the minimum necessary: When authorizing new integrations, grant access only to the Salesforce objects and fields the application actually needs — not blanket "full access."
Enable Salesforce Event Monitoring: For organizations with sensitive CRM data, Salesforce Event Monitoring logs provide visibility into API access patterns and can be used to detect bulk data exports through connected apps.
Develop a third-party breach response runbook: Establish a documented process for revoking specific SaaS integration tokens rapidly when a third-party vendor breach is announced. The time between a vendor breach announcement and token revocation is the window attackers exploit.
Outlook
With Icarus publicly claiming the Klue breach and the victim list still growing, organizations that use Klue or any Salesforce-integrated competitive intelligence tool should treat this as an active incident requiring investigation. The combination of OAuth token theft, Salesforce data access, and a named extortion group with a demonstrated multi-target campaign pattern suggests this is not an isolated opportunistic breach but part of a sustained, deliberate effort to monetize SaaS integration access at scale.
Source: BleepingComputer