saas · BleepingComputer
Market intelligence platform Klue experienced an OAuth breach that exposed Salesforce CRM data across multiple customer organizations. According to ReliaQuest and Huntress research, attackers compromised Klue's Battlecards integration service accounts and obtained OAuth tokens granting access to customer Salesforce instances. The threat actors used Python scripts to query Salesforce's REST API, beginning with reconnaissance of target objects before exfiltrating data. In some cases, attackers conducted slow, methodical data mapping over hours; in others, they executed rapid extraction bursts of hundreds of queries within minutes. Salesforce subsequently disabled the Klue Battlecards integration platform-wide pending investigation. The extortion group "Icarus," believed to have launched in April 2026, has begun sending ransom demands to affected organizations and listing victims on its data leak site.
For SaaS platforms and their customers, this incident underscores critical compliance and operational risks. Defense contractors and healthcare providers storing CRM data via third-party integrations should audit OAuth token permissions and access logs under CMMC and HIPAA frameworks, respectively. Organizations subject to SOC2 Type II audits must document API authentication controls and vendor security incident response. All regulated industries handling sensitive data through cloud CRM systems should verify that third-party integrations enforce least-privilege access, implement token rotation policies, and maintain audit trails of API queries. An Omniware engagement can scope vendor risk assessment and API security posture in detail.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/
Source: BleepingComputer
All briefings