OAuth breach at Klue tied to Salesforce data theft wave

A security lapse in Klue’s OAuth infrastructure has let the Icarus threat actors siphon Salesforce CRM data from multiple organizations, now being used in an extortion campaign. The compromise highlights the cascading risks when third-party integrations harbor vulnerabilities.

A gateway to sensitive CRM records

OAuth tokens issued to Klue by victim companies appear to have been intercepted or misused, giving the attackers sustained access to Salesforce environments. Unlike isolated phishing incidents, this breach allowed the threat actors to move laterally across connected systems, exfiltrating customer databases, deal pipelines, and internal communications. Security researchers note that the stolen data is now being weaponized in extortion attempts, with victims receiving demands tied to the volume of exposed records.

Why third-party connectors demand stricter scrutiny

The incident underscores the growing threat posed by supply-chain style attacks through business-critical connectors. OAuth-based integrations often enjoy broad permissions by design, making them attractive targets for adversaries. Klue has since revoked all affected tokens and is working with Salesforce and external forensics teams to contain the breach. Affected customers have been advised to review their audit logs, rotate credentials, and audit third-party application permissions.

For organizations relying on CRM platforms, the breach serves as a reminder to treat every connected service as a potential risk vector. Regular access reviews and least-privilege policies can limit exposure even when upstream integrations are compromised.

---

Source: BleepingComputer. AI-assisted editorial synthesis — TechnoExpress.