Overview
- The campaign began with unauthorized access to Klue’s integration backend that investigators trace to activity starting on June 11 and triggered a code push that collected customer OAuth tokens.
- Attackers abused a long‑disused prototype integration credential to deploy token‑harvesting code inside Klue, allowing them to generate OAuth sessions for customer connections.
- ReliaQuest observed automated Python scripts enumerate Salesforce objects and run sustained REST API queries for roughly 24 hours, including bursts of nearly 1,000 queries in 15 minutes, to pull CRM records.
- Multiple firms including Huntress and Recorded Future confirmed theft of Salesforce business data such as contact lists, price quotes, and sales communications, and the extortion group Icarus has claimed responsibility via a leak site and Session IDs.
- Klue revoked affected credentials, removed the malicious code, disabled many integrations, Salesforce disabled the Klue Battlecards app, law enforcement and CrowdStrike are involved, and organizations are urged to rotate tokens, review API logs, and terminate active sessions.