UPDATE: Klue OAuth-token breach — victim list grows, CRM-API abuse chain detailed

UPDATE (originally covered 2026-06-19): The Klue compromise first covered on 2026-06-19 (Icarus obtaining a legacy Klue credential) now has a named, growing victim list and a documented post-access technique. Klue confirms the attacker harvested customer-provisioned OAuth tokens for connected platforms — principally Salesforce, plus Gong, HubSpot, SharePoint and others — and used them to query customer CRM instances directly (Klue, 2026-06-19).

Huntress forensics show the stolen tokens were used to hit Salesforce REST endpoints at /services/data/v59.0/query/<STRING> with a python-urllib User-Agent — anomalous in a legitimate Klue-integration context (Huntress, 2026-06-18). Confirmed affected organisations now include Huntress, Recorded Future, Tanium, Jamf and Sprout Social; Icarus has publicly claimed the attack and is demanding contact via Session messenger (BleepingComputer, 2026-06-19). The chain — compromise an integration platform's legacy credential, harvest downstream OAuth tokens, query customer CRM APIs from the platform's legitimate IP range — bypasses perimeter controls. Detection surface: Salesforce Event Monitoring for a python-urllib API caller, unusual /services/data/v*/query/ volumes from non-user principals, and out-of-hours API sessions from unexpected source orgs. Hardening: audit and revoke OAuth grants to third-party SaaS vendors (especially inactive integrations), enforce IP restrictions on Salesforce connected-app policies, and scope integration-platform credentials so one compromised account cannot chain to every downstream tenant.