Klue OAuth breach linked to 'Icarus' Salesforce data theft attacks

Threat actors tracked as "Icarus" exploited an OAuth vulnerability in market intelligence platform Klue to steal Salesforce CRM data from multiple organizations. The breach gave attackers unauthorized access to sensitive customer information stored within compromised Salesforce instances.

Klue's OAuth implementation contained a flaw that allowed Icarus to bypass authentication controls and gain persistence within connected Salesforce environments. The attackers leveraged this access to extract customer records, deal pipelines, and other confidential business data from victim organizations across multiple industries.

Icarus has weaponized the stolen data in an ongoing extortion campaign, threatening to publish information unless victims pay ransoms. The group targets high-value organizations with substantial Salesforce deployments, knowing that CRM data exposure creates reputational and operational risk.

The breach highlights a critical attack vector: OAuth integrations between SaaS platforms. Many organizations connect Klue and similar intelligence tools to their Salesforce instances to sync data automatically. If the integrating application has weak OAuth controls, attackers gain a trusted pathway into the core CRM system without triggering traditional network defenses.

Klue addressed the vulnerability after discovery. The company advised customers to revoke OAuth tokens, audit Salesforce access logs for suspicious activity, and enable multi-factor authentication on all Salesforce accounts. Organizations should review which third-party applications hold OAuth permissions to their Salesforce instances and remove access for unused integrations.

For affected organizations, immediate steps include notifying impacted customers, reviewing what data Icarus accessed, and assessing whether ransom demands have materialized. Law enforcement notification is prudent given the extortion element.

The Icarus campaign demonstrates that threat actors systematically identify and exploit weak authentication links between widely-used business applications. Organizations must treat OAuth integrations with the same security rigor as direct system access, not as minor convenience features.