The short version

Alright, here’s the spicy nutshell: Klue — a market-intel platform — had a security hiccup that let attackers swipe integration credentials and use them to siphon data out of customers’ Salesforce instances. The miscreants reportedly grabbed OAuth tokens tied to Klue’s integrations, spun up API calls for a long time, and downloaded CRM stuff like contacts, sales notes, and pricing details. The Icarus extortion crew later stepped up on their leak site and claimed responsibility.

What happened, who’s affected, and what to do

Timeline, boring but useful: Klue spotted unusual activity in their integration setup on June 12. The root cause looks like a compromised old credential for an integration service. That access let the attackers mint tokens and poke around customer Salesforce environments. Klue says their own hosted content wasn’t touched — the hit was limited to third-party integrations — and they immediately cut the keys, removed rogue code, shut down affected integrations, and brought in an incident response firm.

Researchers from security shops also dug in and found the attack pattern: attackers used the stolen tokens with automated scripts to query Salesforce’s API repeatedly and quietly exfiltrate data. One security team that was hit confirmed stolen items included business contacts, sales communications, pricing info, and similar CRM records.

  • Known organizations that disclosed impacts include Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity, and Huntress (one of the security firms that investigated).
  • The extortion group known as Icarus claimed credit and tried to pressure victims to contact them via a private messenger service to stop a leak.
  • There’s no public sign Klue’s core platform data was stolen — the problem was integrations and the third-party access they enabled.

So, what should teams actually do? Here’s a handy checklist (try not to roll your eyes, do them anyway):

  • Immediately revoke tokens and rotate any integration credentials tied to Klue or other third-party services.
  • Force-refresh API credentials and Salesforce app connections, and rotate service account passwords where applicable.
  • Audit logs and look for unusual API activity: long-lived tokens, scripted queries, unexplained data exports.
  • Enable stricter scopes and least-privilege for integrations so a single compromised token can’t see everything.
  • Notify affected customers and employees, and warn them about potential follow-on phishing or social engineering using stolen contact details.
  • Engage incident response and, if needed, law enforcement. Consider a third-party forensic review if data sensitivity is high.
  • Finally, treat this as a reminder: review legacy credentials, retire what’s unused, and add monitoring and alerts for unusual integration behavior.

TL;DR — a legacy credential opened a door, attackers used it to mint tokens and grab CRM data, and an extortion gang claims the haul. If your org uses Klue or similar integrations, assume a token can be stolen and act like someone already did: rotate, audit, and lock things down.