Klue โ€” the competitive/market-intelligence SaaS whose “Battlecards” product bolts into your CRM and collaboration stack โ€” disclosed on June 19 that an attacker breached part of its integration infrastructure and stole the OAuth tokens its customers use to connect Klue to Salesforce and other platforms. Those tokens were then replayed straight against victims’ Salesforce orgs to bulk-export CRM data. A new extortion crew calling itself Icarus has publicly claimed the campaign on its leak site, and Salesforce has disabled the Klue Battlecards app integration.

If this feels familiar, it should: it’s the Salesloft/Drift playbook again. Don’t break Salesforce โ€” break the small third party that already holds a trusted token into hundreds of Salesforce tenants.

What happened

Per Klue CEO Jason Smith, the company spotted unauthorized activity on June 12. The entry point was a compromised legacy credential tied to an integration service โ€” by multiple accounts a dormant-but-still-valid credential left over from a prototype integration Klue had abandoned and never decommissioned. From that foothold the attacker pivoted into Klue’s integration infrastructure and pushed a malicious code change that harvested the OAuth tokens customers had granted to wire Klue into Salesforce (and, per Huntress and ReliaQuest, also HubSpot, SharePoint, Slack, Zoom, Gong, Chorus, Clari, and Google Drive).

With valid tokens in hand there was no exploit to fire and no MFA to defeat โ€” the token already carries the customer’s authorization. ReliaQuest observed the actor minting OAuth tokens and running Python scripts against the Salesforce REST API for hours at a stretch; in at least one tenant they pushed close to a thousand API queries in a single 15-minute window before exfiltrating the results.

Impact

The confirmed victim list โ€” assembled almost entirely from the victims’ own disclosures โ€” already includes Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity, and it is still growing. The stolen data is CRM contents: business contacts, sales communications, pricing and quotes, account records, and competitive-intelligence material.

Notably, nearly every named company stresses the damage is limited to its Salesforce instance โ€” their own products, infrastructure, payment data, and internal systems were untouched. That is precisely the shape of an OAuth-integration attack: the blast radius is whatever the token could reach, not the vendor that got compromised.

Icarus โ€” which claims to have been operating since late April โ€” is running this as a straight extortion play. Affected orgs received emails (Huntress matched the Session Messenger IDs to the group’s leak site) giving 48 hours to make contact before data is published. Expect the stolen contact and deal data to feed follow-on phishing and social engineering, exactly as it did after the 2025 Salesforce token-theft waves.

What to do now

  • Audit connected OAuth apps. In Salesforce, open Setup > Connected Apps OAuth Usage and revoke anything you don’t actively use or recognize โ€” Klue’s tokens included.
  • If you’re a Klue customer, assume exposure. Revoke and rotate the integration’s tokens, and review Salesforce login history and event monitoring for bulk REST API reads from unfamiliar IPs and high-volume query bursts around or after June 11.
  • Constrain connected apps going forward. Scope tokens to least privilege, cap API usage where you can, and enable Salesforce Shield / Event Monitoring alerting on anomalous bulk exports.
  • Hunt the root cause Klue missed. Inventory dormant service credentials and OAuth tokens from abandoned or prototype integrations across your own SaaS โ€” then decommission them. These are the exact loose ends attackers reuse.
  • Warn the humans. Anyone whose contact data lives in the affected CRM should expect targeted phishing and extortion-flavored follow-ups.

The uncomfortable lesson is the one Salesloft/Drift taught last year, and it hasn’t gotten cheaper: your CRM’s security is only as strong as the least-secured SaaS vendor you’ve handed a token to.

Sources: Klue security update ยท Huntress investigation ยท ReliaQuest threat spotlight ยท BleepingComputer