The Bottom Line: Klue customers must review their Salesforce integrations as OAuth tokens have been compromised and a new extortion group claims responsibility for the attack.
Market intelligence company Klue confirmed a security breach in which attackers were able to steal OAuth tokens to access Salesforce environments of its customers. The new hacker group Icarus claims responsibility for the attack.
Market intelligence platform Klue has confirmed a security breach in which threat actors obtained OAuth tokens used to access Salesforce environments of Klue customers. These tokens enable an attacker to log into Salesforce instances and access sensitive CRM data, customer contacts, opportunities, and business processes.
The newly emerged extortion group named Icarus publicly claims to be responsible for the attack. This suggests a coordinated approach: data theft combined with extortion attempts. For CISOs, this is critical because Salesforce is central to most enterprise environments for sales, marketing, and customer management—the stolen tokens can serve as an entry point for weeks or months of undetected activity.
The expanding victim list of Klue signals that the attack has affected multiple customers and is not limited to an isolated incident. Klue users should immediately audit their Salesforce OAuth integrations, check the audit log in Salesforce for unauthorized API access, and revoke existing OAuth tokens. Additionally, access rights for these integrations must be reviewed and reauthorized.
Source: www.bleepingcomputer.com · Published June 20, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.