Klue/Icarus Salesforce OAuth-token breach

UPDATE (originally covered 2026-06-19): BeyondTrust and LastPass have both disclosed that business-contact and sales-related data was exfiltrated from their Salesforce environments via the compromised Klue integration, pushing the confirmed named-victim count past 14 (SecurityWeek, 2026-06-24 · Help Net Security, 2026-06-24).

The BeyondTrust exposure is the notable delta: a privileged-access-management vendor losing its CRM contact and support-case data to a SaaS supply-chain compromise illustrates that security-vendor customer lists are a deliberate targeting priority for the Icarus extortion crew. LastPass states customer vaults were not affected. Salesforce had already disabled the Klue Battlecards connection on 17 June (The Hacker News, 2026-06-19). Any organisation receiving a Salesforce "Connected App disabled" notice for Klue should treat it as an incident trigger and audit Event Log File ApiTotalUsage / ApiAnomalyEventStore records for bulk REST API reads in the June 11–17 window (T1199, T1528, T1213.003).

UPDATE (originally covered 2026-06-19; campaign delta 2026-06-23): US cloud-communications provider 8x8 (NASDAQ: EGHT) filed a Form 8-K Item 1.05 on 2026-06-23 disclosing that an unauthorised party accessed its Salesforce environment on 2026-06-11/12 via a third-party integration — the Klue competitive-intelligence platform — the OAuth-integration vector behind the Icarus extortion campaign already tracked in prior briefs (SEC EDGAR — 8x8 Form 8-K, 2026-06-23).

The filing states the accessed data is limited to contract information, internal sales notes and business contact data (names, business emails, phone numbers, mailing addresses). As a publicly-listed company's mandatory material-incident disclosure, it is the formal confirmation that 8x8 is a named Klue-integration victim, extending the campaign's confirmed-victim list.

Defender takeaway for anyone running SaaS-to-Salesforce OAuth integrations (including EU public-sector users of competitive-intel tooling): audit Connected Apps in Salesforce Setup → App Manager for unexpected or stale OAuth grants, scope connected-app permissions to least privilege, and monitor EventType=OAuthToken in Salesforce Event Monitoring for anomalous token use (T1078.004 Valid Accounts: Cloud, T1550.001 token abuse).

UPDATE (originally covered 2026-06-21): At least nine Klue customers have now publicly confirmed Salesforce-CRM data impact from the 11–12 June Icarus intrusion: HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Insurity and Sprout Social (SecurityWeek, 2026-06-22). Exposed data is sales-account and contact information — names, business emails, job titles, phone numbers and addresses — exfiltrated via OAuth tokens from a dormant Klue→Salesforce integration; the actor (Icarus, also tracked as UNC6395) had set a 22 June publication deadline.

The concentration of cybersecurity vendors in the victim list is the notable delta: contact data for security-operations staff at those firms' customers now sits in a threat-actor corpus and is prime material for precision spear-phishing aimed at security roles. The structural lesson is unchanged from first coverage — enumerate and revoke unused third-party OAuth grants in Salesforce (Setup → Identity → OAuth Usage), scope active grants to minimum-necessary objects, and alert via Salesforce Event Monitoring on a connected app pulling thousands of account records in a single short session.

The Icarus extortion actor turned a single legacy credential at a SaaS integration vendor into bulk CRM theft across that vendor's customer base. First covered 2026-06-19: Icarus (active since ~April 2026) compromised the backend of Klue Battlecards — a competitive-intelligence SaaS that integrates with customer Salesforce tenants over OAuth — obtained a dormant/prototype-integration credential, injected code into Klue's application layer to harvest each customer's stored Salesforce OAuth access tokens, then queried the Salesforce REST API directly for ~24 hours per victim before Salesforce flagged the anomaly (ReliaQuest, 2026-06-17; daily 06-19). By 2026-06-21 the named victim list had grown to include Huntress, Recorded Future, Tanium and Jamf, the harvested tokens spanned Salesforce plus Gong, HubSpot and SharePoint, and Huntress forensics tied the abuse to Salesforce REST calls at /services/data/v59.0/query/ carrying a python-urllib User-Agent (Klue, 2026-06-19; Huntress, 2026-06-18; daily 06-21).

The chain — compromise an integration platform's legacy credential, harvest downstream OAuth tokens, query customer CRM APIs from the platform's legitimate IP range (T1199 → T1528 → T1078.004 → T1530) — bypasses every endpoint and network control the victim operates, and is the same trust-path class as the broader Salesforce-OAuth extortion wave. For CH/EU SOCs the takeaway is governance of delegated-OAuth grants: inventory and revoke dormant third-party SaaS integrations, enforce IP restrictions and short token TTLs on connected-app policies, and stream Salesforce Event Monitoring for non-user API principals and python-urllib-style callers.

A newly tracked extortion actor, Icarus (active since ~April 2026), compromised the backend of Klue Battlecards — a competitive-intelligence SaaS that integrates with customer Salesforce tenants over OAuth — and used it to steal CRM data from Klue's enterprise customers (ReliaQuest, 2026-06-17). Icarus obtained a dormant/prototype-integration credential, injected code into Klue's application layer to harvest the stored OAuth access tokens for each customer's Salesforce integration, then queried the Salesforce REST API directly (/services/data/v59.0/sobjects/ enumeration and /services/data/v59.0/query SOQL) for roughly 24 hours per victim before Salesforce flagged anomalous API usage and disabled the Klue integration platform-wide. The chain maps to T1199 Trusted Relationship → T1528 Steal Application Access Token → T1078.004 Valid Cloud Accounts → T1530 Data from Cloud Storage Object, bypassing every endpoint and network control the victim operates. Huntress self-disclosed that its own Salesforce sales data (contacts, internal communications, pricing) was exfiltrated, while confirming its own systems were not breached (Huntress, 2026-06-18). Icarus contacts victims directly under the alias "mr bean" on Session Messenger. Why it matters to us: delegated-OAuth grants to third-party SaaS are a perimeter-bypassing trust path that endpoint and network controls never see. Inventory Salesforce Connected-App OAuth grants, revoke dormant/prototype integrations, enforce short token TTLs and IP-range restrictions on grant policies, and stream Salesforce Event Monitoring (SObject-enumeration and bulk-SOQL patterns from integration users) to your SIEM.