Introduction
In early June 2026, nine cybersecurity companies discovered that their Salesforce CRM data had been exfiltrated — not through a vulnerability in Salesforce itself, but through a third-party SaaS application their sales teams used daily for competitive intelligence.
Klue, a Canadian market intelligence platform, was the weak link. Its customers — Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium — found their data in the crosshairs of the extortion group Icarus.
A Forgotten Credential, a Persistent Foothold
Initial access was gained through a dormant credential — one Klue had created to prototype a third-party integration that was never completed, and never revoked. From there, attackers moved through the platform's backend infrastructure and pushed a malicious code update designed to harvest the OAuth tokens customers used to connect Klue to their Salesforce instances.
Those tokens were enough to query victims' CRMs directly via Salesforce's REST API. The exfiltration method points to a deliberate, staged operation: a slow reconnaissance phase to map available Salesforce objects, followed by a sudden surge — nearly a thousand API requests over fifteen minutes — timed to pull as much data as possible before triggering detection.
SaaS Integrations: The New Systemic Attack Vector
The Klue incident is less remarkable for its technical sophistication than for the logic of the attack vector itself. Icarus didn't go after Salesforce directly. The group targeted a peripheral business application — built for Sales and Marketing teams — and used it as a stepping stone into the CRMs of Klue's enterprise customers.
This pattern fits a broader trend. Similar compromises had already targeted Salesforce environments through the Salesloft Drift and Gainsight applications in 2025. Klue moved quickly to suspend its integrations with around ten platforms — HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack — a response that inadvertently revealed the scale of an interconnected ecosystem where every live connection is a potential exposure point.
Commercial Data: A Highly Liquid Asset for Extortion
The exfiltrated data isn't personal data in the conventional regulatory sense — it's commercial IP: customer contacts, quotes, pipeline records, communication histories, and competitive intelligence reports. For an extortion group, its value is immediate and concrete.
Active since April 2026, Icarus has made this type of operation its specialty: targeting sensitive business data, then threatening to publish it unless victims pay. The affected companies confirmed the breach and notified impacted customers. Salesforce responded by disabling the Klue Battlecards integration on its app marketplace.
What This Means for IT and Security Leaders
The incident raises pointed questions for CIOs and CISOs: who is regularly auditing OAuth tokens granted to third-party applications? Who verifies that a credential provisioned for an abandoned prototype no longer carries active permissions?
Integration lifecycle management — revoking stale access, scoping OAuth permissions tightly, detecting anomalous API call patterns — has become a security discipline in its own right, well beyond routine IT hygiene. For SaaS vendors themselves, the incident is an unambiguous reminder of a shared responsibility: the integration code they deploy into their customers' environments can become an attack vector against those same customers.