Klue / Icarus Salesforce OAuth-integration breach — from nine named victims to ~24, then the attacker gets hacked

This is the W25 multi-day item, but the in-window deltas re-shape it materially. At the start of the week the named-victim list stood at nine, mostly cybersecurity vendors (HackerOne, Huntress, Jamf, OneTrust and others, SecurityWeek 06-23). It then accreted through the week: 8x8 filed an SEC 8-K Item 1.05 on 06-23 confirming Salesforce exfiltration; BeyondTrust and LastPass disclosed business-contact and sales data theft on 06-25; by 06-27 roughly two dozen firms had notified, and in a twist the Icarus attacker was itself hacked, with a second extortion actor now threatening the stolen data. Salesforce disabled the Klue connected app.

The new lens the dailies could not assemble: this is a single dormant OAuth integration credential at one SaaS vendor cascading into multi-tenant CRM theft across that vendor's entire customer base — the exact failure mode ReliaQuest framed as "integration abused in CRM data theft" in W25. For a Swiss/EU SOC the takeaway is an OAuth-grant inventory exercise: enumerate third-party connected apps with API scopes into your CRM/identity tenants, revoke dormant grants, and alert on bulk REST/Bulk-API reads from integration principals — patching nothing here helps, because no software was vulnerable; a delegated token was. (daily 06-23, daily 06-25, daily 06-27)