Overview
- Klue’s integration backend was breached on June 11–12, allowing attackers to add token‑harvesting code and extract OAuth tokens that gave access to connected Salesforce environments.
- Klue revoked the legacy credential and affected tokens, removed the unauthorized code and disabled impacted integrations while Salesforce disabled the Klue Battlecards app on June 17 to stop further access.
- At least nine customers, including multiple cybersecurity firms and technology companies, say their Salesforce instances had CRM records copied, including sales account details and business contact information such as names, emails, titles and phone numbers.
- A cyber extortion group calling itself Icarus has claimed responsibility, listed Klue on a dark‑web leak site and issued a June 22 deadline threatening to publish the stolen data, prompting customer notifications and heightened phishing warnings.
- Security responders including CrowdStrike and law enforcement are investigating, and organizations are advised to revoke and rotate OAuth grants, terminate active sessions, review API logs and monitor for follow‑on phishing and extortion attempts while the wider industry reassesses third‑party integration risks.