Home/ Blog/ Security news/ Article
Blog · Security news

Your Salesforce wasn't breached. A connected app handed over the data.

The Icarus group stole Salesforce CRM data through Klue's connected app, not a Salesforce flaw. Why OAuth integration tokens are the unmonitored attack surface.

Forgotten key in an open back door beside a sealed front gate
By Suriq's Jack · ·Security news · 5 min read

Salesforce was not breached. The platform held, the same way it held when Salesloft Drift was abused and when Gainsight was abused. What gave way this time was a connected app called Klue, and the OAuth tokens it held to read its customers' Salesforce data. An extortion crew that calls itself Icarus walked through that door, ran automated queries against the CRM for roughly a full day, and walked out with sales contacts, price quotes, and account records belonging to multiple companies, including several security vendors.

If your team has ever clicked "Connect to Salesforce" on a third-party tool, this is your attack surface, and almost nobody is watching it.

What actually happened with Klue

Klue makes competitive-intelligence "battlecards" that plug into Salesforce and a long list of other SaaS tools. According to Salesforce, it disabled the Klue integration platform-wide on June 11, 2026, after a security incident at Klue. Klue itself caught the intruder a day later, on June 12, inside the systems that run those integrations. On June 16, employees at Huntress started receiving extortion emails carrying a 48-hour deadline.

The entry point was not a Salesforce flaw and not a clever zero-day. Investigators at ReliaQuest, the firm that uncovered the campaign, traced it to a dormant credential Klue had created for a prototype integration and never decommissioned. That stale account was still live. The attackers used it to reach Klue's environment, generated OAuth tokens, then ran automated Python scripts that queried Salesforce's REST API for close to 24 hours, enumerating objects and bulk-exporting records. Salesforce was blunt that the issue lived in Klue's app connection, not in Salesforce itself.

The two accounts differ on one detail worth flagging. The Hacker News frames the theft as tokens generated from the compromised service account. BleepingComputer reports the attackers also pushed a malicious code update into Klue's backend that harvested customer OAuth tokens directly. Both agree the dormant credential was the way in and OAuth tokens were the payout; whether the tokens were minted or skimmed is the open question.

Icarus is new. ReliaQuest says the group launched around April 2026 and had listed only two victims before this campaign. The tradecraft looked enough like the ShinyHunters Salesforce extortion campaign that early reporting drew the comparison, but BleepingComputer is clear that ShinyHunters was not behind this one. Huntress confirmed the thieves reached business contacts and sales data, but not threat intelligence, customer telemetry, passwords, or engineering systems.

Three breaches, one trust boundary

Look at the sequence. Salesloft Drift. Gainsight. Now Klue. In every case the headline names Salesforce, and in every case Salesforce's own platform was never the thing that broke. The constant is the OAuth grant a customer hands to a third-party app, and the fact that this grant lives outside almost every control a security team applies to its own people.

This is the part defenders keep underrating. A connected app's token does not get prompted for MFA. It is not subject to your conditional-access policy. It rarely expires on a schedule anyone tracks, and it is usually scoped far wider than the app needs because nobody pushed back during the procurement demo. A stolen connected-app token is a skeleton key with none of the friction a stolen employee password would hit. That is why 24 hours of bulk API extraction can run to completion without tripping a single alarm.

The victim list makes the second point for me. Huntress, Recorded Future, Tanium, and Jamf all confirmed stolen Salesforce data, and every one of them is a security company. They are not the soft targets in anyone's threat model. If firms that hunt this exact behavior for a living got their CRM data pulled through a vendor's token, the lesson is not "be more mature." You cannot out-mature your vendors' credential hygiene. Connected-app sprawl is a procurement problem that lands as a security incident, and the security team usually finds out after the extortion email.

Why the dormant credential keeps being the root cause

Strip away the brand names and these incidents are non-human identity lifecycle failures. A credential gets created for a test, a prototype, a one-time migration. The project ships, the people move on, and the credential is never revoked. Months later it is the quietest path into a system that real customers depend on. We saw the same shape when malicious third-party plugins stole developer credentials and when a trusted vendor pushed a backdoored update.

Human accounts get offboarding workflows. Service accounts, integration credentials, and OAuth grants mostly do not. There is no leaving-the-company trigger for a token, so it sits until someone audits it or an attacker finds it first. The Klue prototype credential is the same species of mistake as a forgotten CI deploy key or an old personal access token with org-wide scope, the same class of token expiration and session revocation gaps defenders keep rediscovering.

What to do this week

Treat this as today's work if you run Salesforce or any CRM with connected apps.

  • Revoke and rotate. Pull the OAuth tokens for Klue and any integration you do not actively need, and terminate active sessions. ReliaQuest published four attacker IP addresses; check your Salesforce and SaaS logs for API activity from them.

  • Inventory your connected apps. Pull the full list of OAuth-authorized apps in Salesforce and every major SaaS tenant. Most teams have never looked. You will find apps nobody remembers approving.

  • Cut the scopes. An app that needs read access to contacts should not hold a token that can bulk-export every object. Re-grant on least privilege, even where it means a support ticket with the vendor.

  • Alert on app-identity behavior, not just human logins. A connected app enumerating objects and running bulk REST queries for hours is a behavioral signature distinct from human CRM use. Salesforce event monitoring can surface it; the gap is that almost no one alerts on API volume tied to an app identity.

The uncomfortable read here is that this pattern is not slowing down. The Salesforce integration marketplace is enormous, every connected app is a credential holder, and Icarus just proved a four-month-old crew can monetize one stale token. Expect the next name in this sequence within weeks, and expect the platform to be innocent again. The question worth asking in your own environment is simpler than attribution: which of your vendors could lose a token tonight, and would you see it before the email arrived?

Topics
Supply-chain attacksData breachesOAuth & SaaS tokens

Frequently asked questions

Was Salesforce itself breached in the Klue incident?

No. Salesforce's platform was not breached. Attackers compromised Klue, a third-party connected app, and abused the OAuth tokens Klue held to read customer Salesforce data. Salesforce disabled the Klue integration platform-wide on June 11, 2026 as part of its response.

Who is the Icarus threat group?

Icarus is an extortion group that ReliaQuest says launched around April 2026. It had listed only two victims before the Klue campaign. Its tradecraft resembled earlier ShinyHunters Salesforce thefts, but BleepingComputer reports ShinyHunters was not behind this attack.

How did attackers steal the Salesforce data?

They used a dormant Klue credential created for a prototype integration and never decommissioned. From there they generated OAuth tokens and ran automated Python scripts against Salesforce's REST API for close to 24 hours, enumerating objects and bulk-exporting CRM records.

What data was stolen from the victims?

Stolen data included business contacts, sales communications, price quotes, competitive intelligence reports, and account records. Huntress confirmed attackers reached business contacts and sales data but not threat intelligence, customer telemetry, passwords, payment information, or engineering systems.

What should defenders do about connected-app OAuth risk?

Inventory every OAuth-authorized app in Salesforce and other SaaS tenants, revoke tokens for apps you do not need, and rotate the rest. Cut over-broad scopes to least privilege, and alert on bulk API activity tied to an app identity, not just human logins.

Why are OAuth integration tokens a blind spot?

Connected-app tokens skip the controls applied to people. They are not prompted for MFA, not covered by conditional access, rarely expire on a tracked schedule, and are often over-scoped. A stolen token works like a skeleton key with none of the friction a stolen password would hit.

Keep reading
Security news

Your Squid proxy can leak other users' passwords, and the 7.6 update won't fix it

Squidbleed (CVE-2026-47729) leaks memory from Squid proxies in default config, including login credentials. A public exploit is out, and 7.6 does not patch it.

Noam Alum · Jun 22, 2026
Security news

That decade-old router you forgot is now scanning networks for attackers

A botnet called AryStinger hijacked over 4,300 end-of-life D-Link and Linksys routers into a distributed scanning grid for reconnaissance, not DDoS. What to do.

Suriq's Jack · Jun 21, 2026
Security news

Millions of hacked TV boxes now rent attackers a trusted home IP. Your blocklist can't see it.

Researchers linked the Popa botnet of 2 million hacked TV boxes to a residential proxy service. Here is why IP reputation no longer stops account takeovers.

Suriq's Jack · Jun 21, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan