Bottom line: Stolen OAuth tokens from a compromised Klue integration enabled the Icarus group to gain mass access to Salesforce customer accounts through automated API queries.
The extortion group Icarus gained access to Salesforce customer environments via stolen OAuth tokens from the Klue Battlecards app and copied business data. Salesforce subsequently disabled the integration of the affected application.
On June 11, 2026, Salesforce discovered unusual activity in the integration of competitor analysis app Klue Battlecards. Unauthorized actors infiltrated customer environments and extracted business-critical data such as contacts, price quotes, and sales messages. Security company Huntress was among those affected. According to Salesforce and Klue, passwords and credit card data were not compromised. The vulnerability lay in the app integration, not in the Salesforce platform itself.
The attackers exploited an outdated but still active certificate from Klue that was originally created for an unrealized prototype of a third-party integration. Through this access, the perpetrators gained entry to Klue’s infrastructure and obtained the OAuth tokens that connect customer accounts to third-party platforms. Klue CEO Jason Smith stated that the attackers used these tokens to access a range of connected customer environments.
According to ReliaQuest, the hackers deployed automated Python scripts to perform data queries via the Salesforce API for nearly 24 hours. In one phase, almost a thousand queries were initiated within 15 minutes. On June 16, 2026, the perpetrators sent extortion emails to affected companies with a 48-hour payment deadline. The Icarus extortion group has been active since late April 2026. Klue has revoked all affected certificates and tokens, removed the unauthorized code, and initiated an investigation.
Source: www.it-daily.net · Published June 22, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.