Salesforce integrator Klue’s OAuth hacking situation has taken a bizarre turn with the threat actor responsible for the breach apparently claiming to have also been hacked. AI competitive intelligence platform Klue – which integrates with Salesforce to simplify CRM usage – suffered the breach in June, and a number of peculiar events have taken place in the following days.
The original hacking group, identified as ‘Icarus’, was threatening Klue with releasing the stolen data in a bid to extort the company, according to TechCrunch, which reports that Klue has been negotiating with Icarus. But in a strange twist, it has now been claimed that Icarus has warned Klue about a second hacker threatening its customers after stealing Klue’s customer data directly from Icarus. Let’s take a look at what happened.
The Early Days of The Hack
In June, cybersecurity company Reliaquest noticed a compromised integration between Klue and Salesforce. This was used to exfiltrate CRM data using OAuth tokens and automated REST API queries. The activity resembled the 2025 and 2026 third-party OAuth-abuse campaigns against Salesforce, which the ShinyHunters hacking group took credit for.
The integration with Klue was used as an entry point to reach a Salesforce environment and accessible CRM data. Account records, contact details, and deal outcomes may have been accessed, it is understood.
Salesforce issued a security advisory on June 17 outlining that integration with the Klue Battlecards app had been disabled. The company said in a statement: “Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce.”
Salesforce stressed that the issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform.
Reliaquest outlined how attackers authenticated to their targets’ Klue integration service accounts, generated OAuth tokens, and ran automated scripts to pull “large volumes” of Salesforce records through the REST API over an approximate 24-hour period.
As we wrote at the time, this incident – along with the previous Salesloft and Gainsight exploits – is a clear indication that any top-ranked app vendor with integrations to enterprise SaaS and application platforms should consider itself a target of threat groups.
“The OAuth-abuse playbook is repeatable, effective, and now widely adopted,” Reliaquest said.
So Who Hacked The Hackers?
June 22
In an update posted on June 22, Reliaquest said that a Telegram account claiming to be the ShinyHunters hacking group was taking responsibility for the Klue breach. ShinyHunters were one of the big names believed to be behind the large wave of Salesforce data theft attacks last year.
The Telegram account claiming to be the ShinyHunters said that “a number of other companies’ Salesforce instances, which were partners to Klue, were exfiltrated”, and advised Klue to contact them for a “swift resolution”.
A Session Messenger ID attributed to the Icarus data extortion group was included in the post, suggesting a potential relationship between the two groups, but this has not been verified. Reliaquest said that it is possible that an unrelated actor is leveraging ShinyHunters’ reputation to amplify extortion pressure.
Cybersecurity firm Huntress was among the Klue customers affected by the breach. They also posted a blog, dated June 22, outlining that Icarus listed data for Huntress and “several other companies” that were impacted on its data leak website.
Huntress said in their statement that their company’s affected files are limited to Salesforce data, including business contact information, business names, products trialled/used, subscription details, and sales-related communications with customers and partners, as well as opportunity notes.
“As expected, no data associated with Huntress products or infrastructure, or any telemetry, passwords, or payment card data was impacted, based on current evidence,” Huntress said.
June 24
Two days later, on June 24, Huntress said they were aware of new activity related to the Klue incident. Huntress said: “A separate unauthorized party has claimed access to data associated with the incident and has made statements regarding potential disclosure.
“At this time, these claims remain unverified, and our team is actively investigating in coordination with security researchers.”
They added that the unverified claims included supposed plans to publish sample information about companies that have engaged with the original Icarus threat actor, including the names of nearly 200 companies. Following that, the unauthorized party claims that information about the victims will be released daily, unless a “compromise” is made.
June 25
Then, on June 25, TechCrunch reported that Klue was communicating with hackers and said it believed the group was deleting the stolen data.
In an update shared privately with its customers, Klue reportedly said: “We continue to communicate with the threat actor we have been in contact with (‘Icarus’).
“Icarus told us they are taking steps to delete the data taken from Klue customers. The Icarus site remains down, and we have indications that Icarus is indeed taking steps to delete data taken from Klue customers.” TechCrunch claimed the email had been verified with multiple sources.
We have not independently verified that Klue paid Icarus. SF Ben has contacted Klue for comment.
Cyber Daily reports that the second hacker is now extorting Klue’s customers, and Icarus asked the company to pass on a message to not pay this “other party”.
CISO at Acronis, Gerald Beuchelt, said that the incident demonstrates the challenges of the simple mantra of ‘don’t negotiate with cyber criminals’, calling it “tone-deaf advice”.
Beuchelt added: “If a hospital is locked out of its systems, this can be a life and death situation, and if it’s data that’s compromised, it could be incredibly sensitive, and you may owe it to the people whose data it is to do what you can to keep that private.
“However, there is the simple fact that when you’re dealing with criminals, you don’t necessarily get what you pay for. If you can possibly avoid it, you’re better off not negotiating and just restoring via backups.”
What to Do Now
If you’re concerned you may be at risk of the gaps exploited in these incidents, Reliaquest recommends revoking and rotating credentials and tokens.
Reset and reissue everything tied to the Klue integration. This includes the service-account password, refresh tokens, client secrets, and active OAuth grants.
You need to revoke the refresh token, not just reset a password, to sever persistent access.
Next, review Salesforce API activity. Look for unusual REST API query volume, repeated pagination through large result sets, the Python-urllib user-agent, and access from unfamiliar IP addresses.
Also, lock down API access to known infrastructure. Enforce IP allowlisting on third-party integration accounts and connected apps. Be sure to apply the same restriction to SIEM and SOAR APIs – meaning requests from outside approved sources are blocked and alerted.
Final Thoughts
A breach rarely ends when the first intrusion is contained. As this incident seems to demonstrate, it can spiral into an ongoing nightmare with no clear resolution, and a fog of war muddying the details. What began as a fairly typical OAuth-token abuse case has evolved into something altogether more challenging – and at least a little confusing – for Klue.
Whether Icarus, ShinyHunters, and this apparent “second hacker” really are different actors, overlapping personas, or just one unified group amplifying pressure by pretending to be several parties, the ambiguity is in itself a driver of fear and urgency – which likely only benefits the extortionists.