Klue, a competitive intelligence platform, suffered an OAuth token abuse incident that enabled the Icarus threat actors to extract Salesforce CRM data from multiple organizations. Klue’s Battlecards application was disabled by Salesforce as a containment measure, but not before attackers used the OAuth integration to access customer Salesforce instances.
The breach impacts cybersecurity firms as victims, including Huntress and Recorded Future — organizations that themselves specialize in threat detection and security operations. When a security researcher’s tool is compromised, the data collected for protecting organizations becomes the attack vector against those same organizations.
Klue’s OAuth Token Abuse and the Icarus Compromise Method
Klue’s OAuth token abuse follows the same pattern seen in previous Salesforce-environment breaches where connected-app OAuth tokens harvested from public repositories or compromised developer machines are used to access CRM data at scale. Salesforce has disabled the Klue Battlecards integration pending investigation.
How the OAuth Integration Became an Attack Vector
The OAuth compromise represents a supply-chain vector in which an attacker does not need to breach the target’s infrastructure directly. By compromising a single integration point between Klue and Salesforce, the Icarus group could access all customer organizations connected through the platform. The connected-app OAuth tokens harvested from Klue’s infrastructure allowed the attackers to authenticate as legitimate Klue users within Salesforce’s ecosystem.
Huntress and Recorded Future Affected By the OAuth Compromise
The affected victims represent a dual crisis: loss of their own organizational data and potential compromise of the threat intelligence data they collected from their clients’ environments. These firms use their own security tools to monitor and report on threat actor activity across dozens of organizations.
This marks the third major integrated application compromise in the Salesforce ecosystem targeting competitive intelligence and CRM data in 2026. The pattern suggests systemic vulnerabilities in how OAuth tokens are managed, rotated, and audited across connected-applications within the Salesforce marketplace.
Connected-App OAuth Patterns in Salesforce Breaches
The token harvesting method — extracting OAuth tokens from public repositories or compromised developer machines — has emerged as a recurring exploitation pattern across multiple Salesforce-environment breaches. The Klue incident follows this same methodology, highlighting a persistent weakness in how organizations manage OAuth token storage and access controls for connected applications.
