The Klue OAuth breach involved attackers compromising Klue's backend systems and pushing a malicious code update that stole OAuth tokens used by customers to integrate Klue Battlecards with Salesforce and other platforms. Using these stolen tokens, the 'Icarus' threat actors queried Salesforce's REST API endpoints to map and exfiltrate CRM data over periods ranging from several hours to nearly a day. The attack pattern included slow reconnaissance followed by rapid data extraction bursts. The breach enabled the theft of sensitive Salesforce CRM data from multiple organizations, which the attackers are leveraging in an extortion campaign. Salesforce responded by disabling the Klue Battlecards integration. Klue also disabled integrations with several other SaaS platforms during the incident response. Cybersecurity firms ReliaQuest and Huntress confirmed the breach and linked it to the Icarus extortion group, which is distinct from the previously known ShinyHunters group. Indicators such as IP addresses and Session Messenger IDs have been shared for detection and response.

The breach resulted in unauthorized access and theft of Salesforce CRM data including business contacts, sales communications, price quotes, competitive intelligence reports, and account data from multiple organizations. This exposure risks reputational damage, competitive disadvantage, and potential financial loss due to extortion demands. There is no evidence that passwords, payment card information, or engineering systems were compromised. The stolen OAuth tokens allowed direct API access to customer Salesforce environments, bypassing normal authentication controls.

Salesforce has disabled the Klue Battlecards integration to prevent further unauthorized access. Klue has disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack during the investigation. Organizations using Klue integrations should review Salesforce and related SaaS logs for suspicious activity from known attacker IP addresses, revoke and rotate OAuth tokens, terminate active sessions, and monitor Salesforce API usage for anomalies. Patch status is not applicable as this is a breach involving compromised credentials and integration abuse rather than a software vulnerability with a patch. Organizations should follow vendor advisories and incident response best practices for OAuth token compromise.