A threat actor group called “Icarus” exploited OAuth token abuse in Klue, a competitive intelligence platform, to access Salesforce CRM data belonging to multiple organizations — including cybersecurity firms Huntress and Recorded Future — in an incident that surfaced publicly on June 18, 2026.
The Attack Mechanism
Klue’s Battlecards application integrates with Salesforce through OAuth tokens, allowing it to read and write competitive intelligence data within customer Salesforce instances. Icarus actors obtained valid OAuth tokens tied to the Klue Battlecards integration and used them to authenticate directly against affected organizations’ Salesforce environments, extracting CRM data without triggering standard login alerts because the access appeared to originate from a trusted connected application.
Icarus Actors Authenticating via Klue Battlecards OAuth Tokens
Salesforce moved to contain the breach by disabling the Klue Battlecards application entirely, cutting off the OAuth access pathway. As of June 18–19, the integration remains suspended pending a full investigation by Klue and Salesforce. Because the malicious access was indistinguishable from the application’s normal authorized behavior — OAuth tokens do not generate failed login attempts or unusual geographic login patterns — the window between initial access and containment may have been extended by the absence of standard authentication anomaly signals.
Security Firms Among the Victims
The breach is particularly notable because the victim list includes Huntress — a managed detection and response provider — and Recorded Future — one of the most recognized names in threat intelligence. Organizations that professionally detect and investigate cyberattacks were themselves compromised through a supply chain they trusted.
This creates a dual risk scenario: the breached CRM data may include client contract information, threat intelligence data collected on behalf of those clients’ environments, and internal strategic information about the firms’ security operations. Both companies were investigating the scope of the exposure as of the disclosure date.
Third Salesforce Supply Chain Incident in 2026
The Klue breach is the third major Salesforce-ecosystem compromise this year involving connected-application OAuth token abuse. Each incident has followed the same playbook: attacker obtains OAuth tokens from a connected application, bypasses standard authentication controls, and extracts CRM data at scale before the access is detected and revoked.
OAuth Token Harvest Targeting Salesforce AppExchange Integrations
The pattern suggests that attackers are systematically targeting the OAuth integration layer across Salesforce’s AppExchange ecosystem, treating legitimate connected applications as trusted credential stores rather than attacking Salesforce authentication directly. OAuth tokens for Salesforce integrations are often stored in developer environments, CI/CD pipelines, or application configuration files where they can be harvested by attackers who compromise a software vendor’s development infrastructure. Once harvested, the tokens remain valid as long as the integration stays active — which in enterprise environments can be months or years.
How OAuth Tokens Become Weapons
Unlike stolen user credentials, OAuth token abuse does not generate failed login attempts or unusual geographic login patterns. The access looks identical to the application’s normal authorized behavior. This invisibility is the core operational advantage Icarus and similar actors seek when targeting OAuth integrations rather than end-user credentials directly — detection must come from data access volume monitoring or behavioral analytics rather than authentication anomaly detection.
Impact and Takeaway
Salesforce customers using third-party connected applications through AppExchange should audit active OAuth grants, revoke tokens for applications that are no longer in active use, and review access logs for any unusual data export activity from connected apps. For organizations whose security vendors appear in the affected list, the CRM data exposed may include sensitive client and operational details that require direct follow-up with Klue, Huntress, or Recorded Future to determine scope.
