Salesforce Data Thefts Continue via Klue App Compromise
ID: fb6f9557-f555-58f0-939e-5b75e5bd0bbb
STIX ID: report--fb6f9557-f555-58f0-939e-5b75e5bd0bbb
Feed Name: Dark Reading
More Salesforce customers were breached after threat actors compromised Klue's Battlecards app backend, stole OAuth tokens, and used them to access and exfiltrate Salesforce data via the REST API over approximately a 24-hour window. ReliaQuest and Huntress linked the activity to a broader third-party OAuth-abuse playbook, described it as a supply-chain compromise, and observed extortion attempts attributed to an emerging group called Icarus; affected vendors are advised to revoke and reissue Klue-related credentials, review API activity, and enforce IP allowlisting.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
