- Security firm Klue suffered a breach via a legacy credential, allowing hackers to steal OAuth tokens and access customer data on integrated platforms.
- The incident led Salesforce to disable the Klue Battlecards app integration, confirming the issue originated from the app’s connection, not its own platform.
- Cyber extortion group Icarus compromised sales-related data from customers like Huntress, demanding contact within 48 hours.
- The attack methodology mirrors previous third-party OAuth token abuses targeting CRM systems, highlighting a persistent security gap.
- Klue has revoked affected tokens and launched an investigation, directly assisting impacted customers.
Salesforce disabled the Klue Battlecards app integration on June 11, 2026, after detecting unusual activity that exposed customer data, according to an alert published this week. The cloud software giant stated the security incident was limited to the app’s connection and not a vulnerability within its own platform.
Consequently, organizations cannot connect to Salesforce via the app until further notice. The company noted the action was taken because the activity may have resulted in unauthorized access to customer data.
Meanwhile, the extortion group Icarus claimed responsibility for compromising Klue and exfiltrating data from its customers. Cybersecurity company Huntress confirmed its sales-related data was copied from its Salesforce account. Huntress said the breach did not affect threat data, passwords, or payment card information.
Klue’s CEO, Jason Smith, explained the attackers gained access through a compromised legacy credential on June 12. He said the intruders used that access to obtain OAuth tokens connecting Klue to third-party platforms like Salesforce.
Subsequently, the threat actors pushed a code update to collect these tokens and directly query customer CRM tools. By June 16, some Huntress employees received emails from Icarus demanding communication within 48 hours regarding the stolen data.
Security researchers have linked this attack to a known third-party OAuth-abuse playbook. ReliaQuest analysts Thassanai McCabe and Alexa Feminella said the adversary ran automated Python scripts for bulk data retrieval over nearly 24 hours.
Klue has since revoked the affected credentials and tokens while removing unauthorized code. The company is assisting impacted customers directly as the investigation continues.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
