Klue OAuth Breach Spreads as Icarus Hackers Claim Attack

Market intelligence platform Klue has confirmed a security incident in which threat actors stole OAuth tokens used to connect to customers' Salesforce environments. The breach is now being publicly claimed by the newly emerged "Icarus" extortion group, which is adding victims to a growing list.

The attack targets the OAuth tokens that govern integrations between Klue and corporate Salesforce instances. According to Klue's disclosure, these tokens could enable unauthorized access to compromised Salesforce organizations if still valid at the time of theft.

Technical details remain scarce, but the incident underscores the systemic risk of OAuth token theft: once stolen, tokens may allow persistent access without requiring credentials or multi-factor authentication. The Icarus group appears to be extortion-focused, though their specific demands are not yet public.

Klue has not released a full timeline for when the tokens were stolen or whether they have been revoked. The company is working with affected customers to rotate credentials and review integration logs for signs of misuse. No patch is needed as the fix is credential rotation and session invalidation.

Attribution to the Icarus group remains based solely on their public claims, unverified by independent security researchers. The group's infrastructure and capacity to replicate similar attacks on other OAuth-dependent platforms remain unknown.