Klue suffered an OAuth breach that allowed the Icarus threat actors to steal Salesforce CRM data from multiple organizations through compromised Battlecards integrations. The incident triggered extortion emails, Salesforce disabled the Klue Battlecards integration, and affected customers were urged to revoke tokens and review logs. #Klue #Salesforce #Icarus #Huntress #ReliaQuest
Keypoints
- Klue’s OAuth breach exposed Salesforce CRM data from multiple organizations.
- Icarus used stolen OAuth tokens to query Salesforce APIs and exfiltrate data.
- The attack involved Klue Battlecards and a malicious code update on backend systems.
- Salesforce disabled the Klue Battlecards integration during the investigation.
- Affected organizations were advised to revoke tokens, terminate sessions, and check API logs.