The Point: An OAuth vulnerability in the Klue platform allowed attackers to gain access to Salesforce CRM data from enterprise customers and exploit it for extortion purposes.
The market intelligence platform Klue was compromised through an OAuth vulnerability that gave attackers from the “Icarus” group access to Salesforce CRM data from multiple organizations. The incident is part of an ongoing extortion campaign.
The attackers exploited the OAuth vulnerability in Klue to impersonate an authorized third-party application to Salesforce, thereby gaining access to CRM systems of Klue customers. This is a common attack method in which integrity gaps in SSO/API authentication (Single Sign-On) are abused to obtain data access. The perpetrators were able to extract customer data directly from Salesforce instances.
For CISOs, this scenario is particularly relevant as it underscores the risks of third-party integrity gaps: even if your own Salesforce system is secure, a compromised third-party application with OAuth authorization can serve as an entry point. The attackers did not need direct access to customer environments; instead, they exploited the trust that Salesforce places in the legitimate Klue integration.
The “Icarus” group is using this stolen data for extortion – typical of double extortion scenarios in which attackers threaten both data publication and ransom. CISOs should verify whether their organizations use or have used Klue, and review which OAuth permissions are enabled for third-party tools. Revocation of unused or suspicious API keys and tokens is a first aid measure.
Source: www.bleepingcomputer.com · Published June 18, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.