Klue OAuth Breach Expands: Icarus Hackers Claim Attack, Multiple Tech Firms Affected
Key Takeaways
- ▸Klue's compromised legacy credential exposed OAuth tokens allowing attackers to access Salesforce CRM data from dozens of connected customer environments
- ▸Icarus extortion group has claimed responsibility and publicly demanded ransom from affected organizations to prevent data leaks, highlighting rising threats from persistent extortion-focused threat actors
- ▸Victim list includes major tech companies (Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity) with stolen business contacts and pricing data that could fuel follow-on phishing, social engineering, and extortion campaigns
Summary
Market intelligence platform Klue disclosed a security breach on June 12 affecting its integration infrastructure, where attackers stole OAuth tokens used to connect to customers' Salesforce CRM environments. The breach resulted from a compromised legacy credential in an integration service that allowed attackers to obtain OAuth tokens for third-party platforms including Salesforce, then access sensitive data within multiple customer environments. Klue immediately revoked affected credentials, removed unauthorized code, and engaged CrowdStrike for incident response and law enforcement notification. The attackers, claiming to be the "Icarus" extortion group, have publicly posted about the breach on their data leak site and are demanding ransom from Klue and affected organizations through Session messaging, with victims including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. Most victims reported stolen Salesforce data including business contacts, sales communications, and pricing information, with no impact to their core platforms or infrastructure.
- Attack highlights supply chain security risks: a single compromised integration service credential exposed sensitive data across dozens of downstream customer environments
