preloader

· oauth supply-chain salesforce crm saas-security security cloud europe

Dormant OAuth Token Gave Icarus Hackers Access to Salesforce CRM Data Across Dozens of Organisations

Source: BleepingComputer / The Hacker News / Huntress / ReliaQuest

On 11 June 2026, anomalous behaviour in Klue’s integration infrastructure triggered an internal alert. Within 24 hours the company had confirmed what it called a supply chain breach: an attacker had gained access to its backend systems, pushed a malicious code update, and used that access to steal the OAuth tokens that Klue customers had granted for connecting the Battlecards product to third-party CRM platforms. By the time Klue began notifying customers on 13 June, the attacker had already used those tokens to query Salesforce directly on behalf of victim organisations.

The threat group behind the attack, identified as Icarus and active since late April 2026, escalated quickly from data theft to extortion. Affected companies received ransom notes over Session Messenger from an alias identifying itself as “mr bean”, threatening to publish or sell the stolen CRM data unless paid. Icarus had already claimed two victims. Klue was the second.

How a forgotten credential became the entry point

Klue told affected customers that the initial compromise relied on a single dormant credential, a prototype OAuth client that a Klue developer had created during an early integration experiment and never revoked when the prototype was abandoned. That credential retained its original permissions, including the ability to push updates to Klue’s integration layer.

An attacker who obtained that credential, the exact method of acquisition has not been disclosed, was able to deploy a code change that modified how Klue handled OAuth tokens on behalf of its customers. When customers’ connected integrations ran their scheduled syncs, the modified code intercepted and copied the tokens. Because the tokens were live, scoped to production Salesforce environments, and not yet expired or rotated, the attacker could immediately make authenticated API calls to each victim’s Salesforce instance as if they were Klue.

The actual data extraction took approximately 15 minutes per organisation according to one published reconstruction. The OAuth tokens provided query-level access to the connected Salesforce account, which in practice meant the attacker could retrieve contacts, accounts, opportunities, email activity, price quotes, and anything else the Klue integration had been granted access to read.

What was stolen and who was affected

Confirmed affected organisations include Huntress, Recorded Future, Tanium, Jamf, Sprout Social, and Insurity. Given the nature of the stolen data, the breach has particular significance for companies whose Salesforce instances contain competitive intelligence, customer pricing agreements, and sales pipeline information that would be valuable to competitors or useful as leverage in extortion negotiations.

The Klue Battlecards product is specifically designed for competitive intelligence, which means the CRM data its integration accesses tends to include the kinds of information organisations are least willing to have exposed. Sales communications, win/loss analysis, pricing strategy discussions, and account notes are the categories most commonly referenced in victim disclosures.

Salesforce disabled the Klue Battlecards integration across its platform on 11 June and has since worked with Klue to revoke the compromised OAuth tokens across all connected accounts.

The structural problem with SaaS integration sprawl

What this breach illustrates is not primarily a vulnerability in Salesforce or in OAuth as a protocol. OAuth worked exactly as designed. The problem is that organisations routinely grant persistent, production-scoped OAuth access to third-party SaaS tools and then have no reliable process for tracking what access each integration holds, reviewing whether it is still needed, or rotating the credentials it uses.

Most enterprise Salesforce accounts have multiple active OAuth integrations. Each one represents a grant of access to your CRM data that persists until explicitly revoked. The security posture of each integration is now a dependency of your CRM security posture. When a third party you granted access to gets compromised, the attacker inherits your CRM access along with theirs.

This is the architecture underlying all supply chain attacks via SaaS integrations. The Klue attacker did not breach Salesforce. They breached a company that had Salesforce access and then used that access. The pattern is identical to what researchers have documented in Microsoft 365 and Google Workspace compromises via third-party productivity tools.

What to review immediately

If your organisation uses Klue’s Battlecards product, follow Klue’s remediation guidance: revoke all Klue-issued OAuth credentials across connected platforms, rotate any tokens that may have been active during the period from 11 to 13 June, review Salesforce and Gong audit logs for API calls that originated from Klue’s infrastructure, and check whether any unusual data export or bulk query activity occurred in that window.

Beyond the immediate Klue remediation, this incident is a reasonable prompt to audit your entire third-party SaaS integration estate. The questions worth asking:

Which third-party tools have OAuth access to your CRM? Most organisations cannot answer this accurately without pulling the actual OAuth grant list from Salesforce, Hubspot, or whichever CRM they use. The apps listed in the connected apps panel are often a surprise.

What scopes did each integration request? Many SaaS tools request broader access than they need for their stated function. Read and write access to all contacts is a common default even for tools that only need to read a subset.

When were the tokens last rotated? The Klue attacker’s initial entry point was a credential that had not been rotated or reviewed since a prototype was abandoned. Long-lived credentials that nobody monitors are a recurring feature of supply chain compromises.

What would an attacker with that access be able to retrieve? Running through this question integration by integration is a useful way to prioritise which connected apps warrant the most scrutiny.

If your organisation wants to audit its SaaS integration security posture, review OAuth grant configurations across your CRM and productivity platforms, or develop a process for managing third-party integration credentials, contact Excello Digital. We help European organisations close the gaps that supply chain attackers rely on.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!