Icarus didn’t need a zero-day. The extortion group walked into Klue’s backend on June 11 using a dormant API credential originally created for an abandoned integration prototype — one that should have been revoked years ago. From there, they pushed malicious code to harvest OAuth tokens that Klue’s customers had issued to connect the platform to Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
The payoff: direct query access to customer CRM systems. Business contacts, price quotes, and sales messaging pulled cleanly from connected accounts. Huntress’s breach writeup, published June 18, called it a “security domino effect.” That’s an understatement: Huntress staff received extortion emails on June 16 with the subject line “top secret email” and a 48-hour ultimatum. Threat data, passwords, and payment card information weren’t touched, but the sales stack was.
Klue issued a general customer alert on June 13 that didn’t specify who was affected. Salesforce disabled the Klue Battlecards app connection entirely after detecting unusual activity. Recorded Future, Tanium, and Jamf have all published statements confirming their own exposure.
The structural flaw lives in the integration layer. Throughout 2025, similar OAuth-abuse campaigns hit Drift and Gainsight, two other Salesforce-connected SaaS integrations. These trusted connectors between CRM platforms and third-party tools are the softest target: rarely monitored, and stocked with long-lived credentials nobody bothered to rotate.
Klue CEO Jason Smith confirmed law enforcement was notified and said the incident was “limited to the affected third-party platforms.” Icarus listed Klue on its dark-web leak site. Active since late April 2026.
Diana Kowalski