Klue OAuth Breach Victim List Grows as Icarus Claims Responsibility

Klue confirmed an incident in which attackers used a compromised legacy credential to steal OAuth tokens for its Battlecards Salesforce integration, allowing access to Salesforce CRM data across multiple customer organizations; the Icarus extortion group claimed responsibility and threatened downstream victims. Klue revoked credentials and tokens, disabled affected integrations, engaged CrowdStrike, and notified law enforcement. Recommended mitigations include auditing and minimizing OAuth application permissions, rotating tokens after third-party incidents, and monitoring cloud API activity.