logo

Salesforce Data Thefts Continue via Klue App Compromise

ID: fb6f9557-f555-58f0-939e-5b75e5bd0bbb

STIX ID: report--fb6f9557-f555-58f0-939e-5b75e5bd0bbb

Feed Name: Dark Reading

Threat Score
75/100

Date Published: 2026-06-18

Date Updated: 2026-06-19

Author: Rob Wright

...
...

More Salesforce customers were breached after threat actors compromised Klue's Battlecards app backend, stole OAuth tokens, and used them to access and exfiltrate Salesforce data via the REST API over approximately a 24-hour window. ReliaQuest and Huntress linked the activity to a broader third-party OAuth-abuse playbook, described it as a supply-chain compromise, and observed extortion attempts attributed to an emerging group called Icarus; affected vendors are advised to revoke and reissue Klue-related credentials, review API activity, and enforce IP allowlisting.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.