Klue OAuth breach victim list grows as Icarus hackers claim attack

Market intelligence platform Klue has publicly confirmed a recent security incident that allowed threat actors to steal OAuth tokens used to connect to customers’ Salesforce environments, as the new “Icarus” extortion group publicly claims the attack.

The disclosure comes after cybersecurity firms Huntress and ReliaQuest detailed how attackers abused compromised Klue Battlecards integrations to steal Salesforce CRM data from multiple organizations.

In a statement published this week, Klue CEO Jason Smith confirmed that the company discovered unauthorized activity on June 12 affecting part of Klue’s integration infrastructure.

“On June 12, we identified unauthorized activity affecting a portion of Klue’s integration infrastructure. Since then, we’ve been working alongside trusted cybersecurity experts to understand what happened, support our customers, and restore the connections you rely on,” wrote Smith.

“Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.”

The company says there is currently no evidence that customer content stored directly within the Klue platform was impacted and that the incident was limited to third-party integrations.

Klue says it immediately revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, launched an investigation, and notified law enforcement. The company also confirmed it engaged CrowdStrike to assist with the response.

ReliaQuest and Huntress found that the attackers used stolen OAuth credentials associated with Klue integrations to access customer Salesforce environments and conduct large-scale data theft.

ReliaQuest observed attackers generating OAuth tokens and using Python scripts to query Salesforce’s API for extended periods, as data was stolen.

Huntress later disclosed that its own Salesforce environment was affected by the Klue breach and that the stolen data included business contacts, sales communications, pricing information, and other records.

Icarus claims responsibility

While BleepingComputer and Huntress previously linked the incident to the Icarus extortion operation, the threat actors have now publicly claimed responsibility on their data leak site.

“As you’ve probably already heard, Klue.com has been impacted by us recently. A number of other companies’ Salesforce instances, which were partners to Klue, were exfiltrated,” reads the Icarus post.

The threat actors went on to pressure Klue and affected organizations to contact them through the Session messaging platform to prevent the leaking of stolen data.

The post comes after BleepingComputer previously reported that the attacks were linked to Icarus, after sources shared extortion emails sent to affected organizations. Huntress also independently connected the operation to Icarus through Session Messenger IDs used in the extortion emails and the group’s data leak site.

Since then, additional victims have disclosed that they were affected by the attacks, including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.

Almost all say the incident led to the theft of data from their Salesforce instances and did not affect their platforms, infrastructure, payment information, or internal systems.

Several organizations warned that the stolen business contact information could be used in follow-on phishing, social engineering, and extortion campaigns and urged customers to be vigilant.