The list of victims of the Klue OAuth breach is growing as the Icarus hackers claim to be under attack

Market intelligence platform Klue has publicly confirmed a recent security incident that allowed threat actors to steal OAuth tokens used to connect to Salesforce customer sites, as a new fraud group called “Icarus” publicly claimed the attack.

The disclosure comes after cyber security firms Huntress and ReliaQuest detailed how attackers misused the Klue Battlecards integration to steal Salesforce CRM data from multiple organizations.

In a statement published this week, Klue’s CEO, Jason Smith, confirmed that the company discovered unauthorized activity on June 12 that affected part of Klue’s integration infrastructure.

“On June 12, we identified unauthorized activity affecting part of Klue’s integration infrastructure. Since then, we’ve been working with trusted cybersecurity experts to understand what happened, support our customers, and restore the connectivity you rely on,” Smith wrote.

“Our investigation found that an attacker gained access to compromised legacy credentials related to the integration service. The attacker used that access to obtain OAuth tokens used to connect Klue to certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.”

The company says there is currently no evidence that customer content stored directly within the Klue platform has been impacted and that the incident is limited to third-party integrations.

Klue says it immediately revoked the affected credentials and tokens, removed the unauthorized code, disabled the affected integration, launched an investigation, and notified law enforcement. The company also confirmed that it is working with CrowdStrike to help with the response.

ReliaQuest and Huntress discovered that attackers used stolen OAuth credentials associated with Klue integrations to access Salesforce customer sites and steal large amounts of data.

ReliaQuest observed attackers generating OAuth tokens and using Python scripts to query Salesforce’s API for extended periods of time, as data was stolen.

Huntress later disclosed that its Salesforce environment was affected by the Klue breach and that the data stolen included business contacts, sales communications, pricing information, and other records.

Icarus says he is responsible

While BleepingComputer and Huntress previously linked the incident to the Icarus hacking operation, the fearsome actors have now publicly claimed responsibility for their data breach.

“As you may have heard, Klue.com was contacted by us recently. The numbers of other Salesforce companies, who were Klue partners, were pulled,” the Icarus post read.

Threat actors continued to pressure Klue and affected organizations to contact them through the Session messaging platform to prevent the leak of stolen data.

This post comes after BleepingComputer previously reported that the attack was linked to Icarus, after sources shared phishing emails sent to affected organizations. Huntress also independently linked the operation to Icarus through Session Messenger IDs used in phishing emails and the group’s data leak site.

Since then, additional victims have disclosed that they were affected by the attack, including Record Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.

Almost all said the incident resulted in the theft of data from their Salesforce instances and did not affect their platforms, infrastructure, billing information, or internal systems.

Many organizations have warned that stolen business contact information can be used in phishing, social engineering, and phishing campaigns and urged customers to be vigilant.