On June 18, 2026, market-intelligence platform Klue confirmed a multi-victim compromise that erupted between June 11 and 16: the extortion group 'Icarus' stole customer OAuth tokens via a dormant credential created for an abandoned prototype, exfiltrating CRM data from Salesforce with automated Python scripts. The disclosure arrives as Huntress, a cybersecurity vendor, goes public with its own victim status, breaking the silence that initially shrouded other involved parties.
- 'Icarus', an extortion group active since April 2026, compromised Klue using a dormant credential for a third-party integration prototype that was never decommissioned.
- Attackers pushed a malicious code update to harvest customer OAuth tokens, then queried Salesforce REST APIs with Python scripts for roughly 24 hours.
- ReliaQuest detected a two-phase pattern: slow reconnaissance via
/services/data/v59.0/sobjects, followed by a burst of ~1,000 queries in 15 minutes via/services/data/v59.0/query. - Salesforce disabled the Klue Battlecards integration on June 17; Klue proactively severed nine third-party connections including HubSpot, Slack, Gong, and Zoom.
The Mechanism: From Dormant Credential to Token Theft
In its analysis published June 18, Huntress reconstructs the initial entry: "the threat actor appears to have leveraged a long-unused but still-active credential," originally created by Klue to prototype a third-party integration that was later abandoned. The credential was never revoked or monitored, leaving a persistent opening in the platform's backend.
From this foothold, attackers pushed malicious code with OAuth token-harvesting functionality. Klue subsequently removed the "token-theft code," according to the same source, but the damage was done: the stolen tokens delegated access to the Salesforce tenants of customers who had enabled the integration.
The finding matters because it illustrates a systemic pattern in enterprise cloud. Third-party SaaS integrations operate on implicit trust relationships: the user grants OAuth permissions once, and the intermediary platform operates with broad, persistent privileges. When the intermediary is compromised, the attack propagates down the chain without needing the end victim's primary credentials.
Salesforce APIs as an Exfiltration Weapon
ReliaQuest, cited by BleepingComputer, analyzed the post-compromise activity in detail. Attackers used automated Python scripts to query Salesforce REST APIs for approximately 24 hours, following a distinct two-phase pattern.
In the first phase, slow and stealthy reconnaissance: calls to /services/data/v59.0/sobjects to map the data structure and identify objects of interest. In the second, exfiltration via /services/data/v59.0/query. ReliaQuest notes a sharp contrast in tempo: in one environment, ~1,000 queries in 15 minutes after a slow mapping phase; in another, exfiltration completed in six hours. As ReliaQuest observes, "the first stage was a slow, steady pull designed to blend in, the burst traded stealth for speed, suggesting either time pressure or a shift to targeted records."
Extortion emails, received by Huntress on June 16 with the subject "top secret email" and a 48-hour ultimatum, bore the alias "mr bean" and a Session Messenger ID. Huntress verified that this ID matches values published on the 'Icarus' leak site, confirming attribution. BleepingComputer, with access to internal sources and the extortion notes, identifies 'Icarus' as a new actor active since April 2026, with at least two initial victims on its leak site.
The Response: Salesforce Disables, Klue Severs Nine Integrations
The reaction was rapid but asymmetric. Salesforce disabled the connection between the Klue Battlecards app and its systems on June 17, 2026. A company spokesperson, quoted by BleepingComputer, stated: "To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident."
Klue executed a far broader, precautionary disconnection: beyond Salesforce, it cut HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. The move suggests the platform could not, at the critical moment, determine with certainty which integrations were actually affected by the token theft and which were not.
Four IP addresses associated with the malicious activity originate from providers in the Netherlands, France, and Ukraine. One of them, 138.226.246[.]94, was already linked to March 2026 spam campaigns, according to data published by Huntress.
"Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records" — ReliaQuest (via BleepingComputer)
What to Do Now
- Verify the status of active OAuth integrations with Klue: Salesforce has already disabled the Battlecards connection, but tenant admins must check residual tokens and authorization logs.
- Review legacy service credentials in backend environments: the root cause is an unrevoked prototype credential, a pattern replicable in any platform with third-party integrations.
- Analyze Salesforce API logs for calls to
/services/data/v59.0/sobjectsand/services/data/v59.0/querywith anomalous temporal patterns, particularly bursts of hundreds of queries in short windows. - Evaluate disconnecting or reducing the scope of non-business-critical SaaS integrations, given that Klue severed nine platforms without confirming actual compromise of all of them.
The Lesson: When the Supply Chain Is a Forgotten Credential
The Klue/Icarus case is not a zero-day nor a Salesforce flaw. It is a SaaS supply-chain attack where the vector is the lack of governance over an internal credential, and the payload is the OAuth trust relationship delegated to customers. Huntress's decision to go public with its own compromise—detailing exfiltrated data (contacts, quotes, sales communications) and categorically ruling out theft of passwords, payment cards, or engineering systems—stands as a rare example of radical transparency in an industry where corporate victims tend toward silence.
The contrast is with Klue and other potentially involved customers, from whom no direct statements have emerged. The 'Icarus' group operates a data-only extortion model: no ransomware encryption, only leverage from the threat of public exposure and regulatory implications. For B2B companies with sensitive CRM data, this form of pressure can prove more effective than traditional ransomware, precisely because it requires no infrastructure restoration but rather reputational and legal negotiation.
Sources
- https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/
- https://www.huntress.com/blog/klue-breach-investigation
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
- https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/
- https://unit42.paloaltonetworks.com/cyber-extortion-economy/
- https://pcper.com/2026/06/fortibleed-is-a-bad-one-for-you-and-a-lot-of-the-companies-you-depend-on/
- https://thehackernews.com/
- https://thehackernews.com/p/upcoming-hacker-news-webinars.html
- https://thehackernews.com/search/label/Threat%20Intelligence
- https://thehackernews.com/search/label/Vulnerability
- https://thehackernews.com/search/label/Cyber%20Attack