SYS::ONLINE
Wasteland.
Briefs968
Issues16
SinceFeb 2026
LIVE
▣ Breach KLUE-ICARUS-OAUTH 2026-06-20

Klue Customers: Icarus OAuth Token Abuse

"A threat actor tracked as Icarus abused a compromised OAuth token tied to Klue's Salesforce Battlecards integration to silently harvest CRM data from multiple enterprise customers. Salesforce disclosed the incident on…"

A threat actor tracked as Icarus abused a compromised OAuth token tied to Klue's Salesforce Battlecards integration to silently harvest CRM data from multiple enterprise customers. Salesforce disclosed the incident on June 17 and has since disabled the Klue Battlecards app across all affected customer instances. Endpoint security vendor Huntress publicly confirmed it lost CRM data in the attack, and additional companies report exfiltration tied to their Salesforce and Gong integrations.

What Happened

According to reporting cited by ProbablyPwned, Icarus obtained a long-lived OAuth refresh token associated with a deprecated integration between Klue and Salesforce. Using that token, the actor queried Salesforce's REST API through legitimate, sanctioned channels that most security monitoring tools do not flag. The attack chain started with object catalog enumeration against the standard /services/data/v59.0/sobjects endpoint, mapping which Salesforce objects were reachable. The actor then looped queries against the query endpoint, paginating through results with QueryMore cursors for nearly 24 continuous hours. This is classic low-and-slow exfiltration that blends into normal API traffic, and without specific monitoring for bulk data access patterns, defenders had little visibility into it.

What Was Taken

Confirmed losses center on Salesforce CRM data. Huntress confirmed on its blog that customer relationship records were exfiltrated from its environment, and several other organizations report that data tied to their Salesforce and Gong integrations was successfully stolen. CRM data of this kind typically includes account records, contact details, pipeline and deal information, and competitive notes, all of which are highly valuable for follow-on social engineering and business intelligence. The full victim list has not been disclosed. Any organization that connected Klue Battlecards to Salesforce should assume potential exposure and audit its API access logs for the activity window.

Why It Matters

This breach is a textbook example of how third-party SaaS integrations become attack vectors even when the primary platform itself stays secure. Salesforce was not compromised; a trusted, forgotten connection into it was. The root cause was a dormant OAuth token issued for a deprecated integration that remained valid long after the integration stopped being used. In many implementations OAuth tokens do not expire by default, so a credential minted in 2023 for a pilot project can still authenticate in 2026 unless someone explicitly revokes it. Anyone who compromises any link in that integration's supply chain inherits all of its permissions, and they do so through legitimate API channels that rarely trip alerts.

The Attack Technique

Icarus did not exploit a software vulnerability. The actor authenticated as the Klue integration using a stolen refresh token, then operated entirely within the bounds of granted OAuth scopes. Enumeration through the sobjects endpoint gave a map of accessible data, and methodical pagination via QueryMore cursors pulled records out over roughly a day. Because every request was a well-formed, authenticated API call from an approved connected app, the traffic looked routine. The technique rewards patience and abuses trust rather than breaking it, which is precisely what makes it hard to catch without behavioral baselining of API volume.

What Organizations Should Do

  1. Audit every connected OAuth app in Salesforce now, and disable or revoke the Klue Battlecards connection if it has not already been removed on your instance.
  2. Review API access logs and the Salesforce event monitoring data for high-volume sobjects enumeration and sustained QueryMore pagination during the disclosure window.
  3. Revoke refresh tokens for any dormant or deprecated integration, and set explicit token lifetimes and rotation policies rather than relying on defaults.
  4. Inventory all third-party SaaS connections quarterly, and remove any integration unused for 90 days or more.
  5. Apply least-privilege scopes to connected apps so a single compromised token cannot read the entire CRM object catalog.
  6. Add alerting for anomalous bulk data access patterns from service accounts and connected apps, not just for failed logins or new device sign-ins.

Sources: Klue OAuth Breach Exposes Salesforce CRM Data at Multiple Enterprises | ProbablyPwned

TWEET: Klue customers breached by Icarus. A dormant OAuth token enabled nearly 24 hours of silent Salesforce CRM exfiltration. Huntress confirmed losses. Full breakdown: https://wasteland.me/intel/klue-icarus-oauth-salesforce-breach #CyberSecurity #ThreatIntel