ProBackend
salesforce oauth integration breaches
1 hour ago6 min read

Salesforce OAuth Breach: Icarus Extortion Group Leaks Data from Dozens of Tech Firms via Klue

An OAuth token breach at Klue enabled the Icarus ransomware group to access Salesforce instances and Gong data across tech and cybersecurity firms, with customer contact details and sales records leaked on the dark web.

The Salesforce OAuth Breach That Won't Stop Expanding

Here's the thing about supply chain attacks that keeps me up at night: they don't care how good your perimeter is. They just find the one app you trusted enough to hand them a key, and they walk right in.

That's exactly what the Icarus extortion group did. Starting June 17, threat actors breached Klue's Battlecards application — a popular competitive intelligence tool that many tech and cybersecurity companies use to manage sales data. From there, they accessed OAuth tokens and moved laterally into Salesforce instances across at least a dozen organizations. Some of those names will surprise you.

Salesforce itself disabled the Battlecards integration shortly after the breach was discovered. But by then, Icarus had already pulled what they wanted.

The group has been explicit about its intentions. They set a Monday deadline for Klue customers, published six partially redacted victim listings on their dark web leak site, and warned that more victims are coming. This isn't a one-and-done operation — it's an escalating campaign, and the targets are still being identified.

How the OAuth Token Chain Unraveled

The attack chain is textbook supply chain compromise, and it's the kind of pattern we've seen before — just with different actors and different tools.

Threat actors first breached Klue's Battlecards app. From there, they accessed OAuth tokens that had been issued to the integration by various customer organizations. These tokens granted access to Salesforce instances and, in some cases, Gong — the call intelligence platform that many sales teams rely on for recording and transcription.

Klue identified four suspicious IP addresses associated with the intrusion. Gong blocked those IPs, but not before the attackers had already exfiltrated data from connected systems.

What makes this particularly insidious is that the OAuth tokens themselves weren't stolen through a traditional vulnerability. They were issued legitimately — these are real integrations that companies set up because they needed the functionality. The compromise happened upstream at Klue, and the tokens became the bridge.

This is the same pattern we saw with the 2025 Salesloft breach, where API secrets appeared directly in Salesforce files. The lesson hasn't stuck. Organizations keep trusting third-party integrations with broad access to their most sensitive data, and threat actors keep exploiting that trust.

Who Got Hit and What Was Exposed

The scope of this breach is still being assessed, but here's what we know from public disclosures as of late June 2026:

LastPass confirmed that customer Salesforce data was accessed, though the company's core password management products remain unaffected. Customer contact details and sales records were among the exposed data.

Huntress, the cybersecurity firm that first publicly acknowledged the compromise, confirmed that business contact information, subscription details, and opportunity notes stored in Salesforce were leaked. Importantly, no product or infrastructure data was compromised — the attackers only got what was in the CRM.

Gong disclosed that internal licensed user data was compromised due to the Klue integration. This includes usernames, titles, and email addresses for licensed users. Call recordings and transcripts were not exposed — the attackers didn't reach that far.

HackerOne reported that its CRM systems were isolated, and no customer vulnerability data was exposed. The company's core platform remains secure.

Other organizations that have disclosed impact include Recorded Future, Jamf, Snyk, OneTrust, Insurity, Tanium, and Sprout Social — a who's who of the tech and cybersecurity ecosystem. Each confirmed varying degrees of Salesforce data exposure.

The common thread across all disclosures: the attackers got CRM data. Customer contact details, sales communications, subscription information, and internal user records. Nothing that would compromise core product infrastructure — but plenty that could be weaponized for targeted phishing, social engineering, or further intrusion attempts.

The Dark Web Leak Site and Icarus's Escalation Strategy

Icarus has been methodical about its extortion approach. The group set a Monday deadline for Klue customers to respond, published six victim listings on its leak site with partially redacted names, and has been explicit that more disclosures are coming.

The data being leaked includes business contact information, subscription details, and sales communications — the kind of information that's valuable for follow-on attacks even if it doesn't make headlines on its own.

This escalation pattern is worth watching. Icarus isn't just dumping data and moving on — they're building a narrative, creating urgency, and signaling to other potential targets that they're next. The group's willingness to publicly name victims (even partially) suggests confidence in its ability to continue the campaign.

For security and compliance analysts, this is a reminder that data exposure doesn't end when the initial breach is contained. The leak site becomes a permanent record, and the threat actor controls the narrative around what was taken and who else might be targeted.

What Organizations Need to Do Now

The remediation steps already underway are reasonable, but they're also reactive. Here's what I'd recommend for any organization that uses Klue or similar third-party integrations with Salesforce access:

Immediate actions:

  • Suspend Klue Battlecards integration access across all Salesforce orgs
  • Rotate any API tokens that may have been exposed through the OAuth chain
  • Monitor for suspicious activity in Salesforce and Gong logs
  • Block the four known malicious IP addresses identified by Klue

Short-term follow-up:

  • Review all third-party integrations with Salesforce access — not just Klue
  • Audit OAuth token permissions and scope for all connected applications
  • Verify that any incident-related communications are legitimate (phishing risk is high right now)
  • Check whether your organization appears on Icarus's leak site

Longer-term changes:

  • Implement just-in-time access for third-party integrations rather than persistent OAuth tokens
  • Require MFA for all integration authentication flows
  • Conduct regular audits of third-party app permissions in your Salesforce org
  • Treat every third-party integration as a potential attack vector, not just a convenience

The uncomfortable truth is that most organizations have far more third-party integrations with broad access than they realize. The Klue breach is a wake-up call, but it shouldn't be the only one.

The Bigger Picture for Security and Compliance Teams

This incident fits into a broader pattern of OAuth-based supply chain attacks that have been intensifying throughout 2025 and 2026. The combination of legitimate authentication mechanisms, broad token permissions, and limited visibility into third-party access creates a perfect storm.

For security and compliance teams, the implications are clear:

  • Vendor risk management can't be a checkbox exercise. You need continuous monitoring of third-party integrations, not just initial due diligence.
  • OAuth token governance needs to be treated with the same rigor as password management. Tokens are credentials, and they should be rotated, scoped minimally, and monitored for anomalous use.
  • Incident response playbooks should include specific procedures for third-party integration compromises, not just traditional perimeter breaches.
  • Board-level reporting should reflect the reality that your most sensitive data may be accessible through apps you've forgotten about.

The Icarus group's campaign against Klue customers is still evolving. More victims will be identified, more data will be leaked, and the threat actor's demands will likely escalate. Organizations that haven't already reviewed their third-party integration posture should treat this as a critical priority — not because of this specific incident, but because the pattern it represents is here to stay.

The Salesforce OAuth Breach That Won't Stop Expanding

More blogs