Klue Confirms OAuth Token Theft: Icarus Extortion Group Claims the Attack
The Vancouver-based competitive intelligence platform says attackers stole OAuth tokens and used them to reach customer Salesforce tenants — adding another entry to a growing list of SaaS-to-CRM supply-chain breaches.

Vancouver-based competitive intelligence vendor Klue confirmed in 2025 that attackers stole OAuth tokens from its environment and used them to access Salesforce tenants belonging to its customers.
What Happened
Klue's disclosure is spare on detail. The company says OAuth tokens — the digital keys Klue holds to connect its platform to customer Salesforce orgs — were exfiltrated from its own systems. Attackers then used those tokens to reach into downstream Salesforce environments. Affected customers have been notified directly.
A newly surfaced extortion crew calling itself Icarus has publicly claimed responsibility. The group has published victim information, which is now a standard pressure tactic: force the disclosure timeline by threatening to release data before companies have finished their own investigation.
Why OAuth Token Theft Is Especially Dangerous
OAuth tokens do not behave like passwords. They represent *delegated trust* — a SaaS vendor is handed permission to act on behalf of a customer inside a third-party platform. That permission usually travels with a long-lived refresh token sitting inside the vendor's infrastructure. When the vendor is compromised, the attacker inherits every permission the vendor was ever granted.
Salesforce itself is not the vulnerability here. The flaw is a broadly scoped, long-lived token stored inside a third party with insufficient controls around it. This is the same structural problem seen across a string of 2024 and 2025 incidents involving sales enablement tools, CRM enrichment platforms, and analytics integrators. The Verizon 2024 Data Breach Investigations Report found that credential and authentication attacks accounted for 38% of breaches — and third-party credential abuse is a fast-growing subset of that figure.
For security teams, the takeaway is uncomfortable. Your Salesforce configuration can be clean. Your MFA policies can be strict. And you can still be exposed through a connected app you approved two years ago and have not audited since.
The Regulatory Clock Is Ticking for Downstream Customers
Klue is privately held and does not file with the SEC. Its customers may not be so fortunate.
The SEC's cybersecurity disclosure rule, which took effect in December 2023, requires public companies to file a Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material. The SEC's adopting release made one point explicit: materiality turns on impact to the registrant, not on where the breach originated. A token theft that touched your Salesforce data is your problem to evaluate — even if the token lived at a vendor.
Icarus's public victim list adds pressure. Extortion crews know that publication compresses the timeline. Legal counsel at affected public companies will need to make a materiality determination quickly, without the luxury of waiting for Klue to publish a complete incident report.
Two additional regulatory frameworks apply to specific customer segments:
- CIRCIA reporting: CISA's proposed rule under the Cyber Incident Reporting for Critical Infrastructure Act — published at 89 Fed. Reg. 23644 on April 4, 2024 — would require covered critical infrastructure entities to report substantial cyber incidents within 72 hours. The proposal expressly covers third-party-enabled compromises. A final rule is expected in 2025.
- NIS2 supply-chain obligations: Article 21(2)(d) of Directive (EU) 2022/2555 requires essential and important entities in the EU to manage security risks across their direct supplier relationships. EU-based Klue customers should assess whether this incident triggers notification under Article 23.
What Controls Failed — and What Defenders Must Learn
The Klue breach illustrates a control failure that security teams consistently underweight: third-party token lifecycle management. OAuth tokens issued to SaaS integrators are often granted broad object-level access in Salesforce, never rotated, and rarely audited. When a vendor's environment is compromised, attackers inherit permissions that security teams did not know existed in that form.
The failure is not purely technical. It is a process failure and a visibility failure. Organisations that perform regular connected-app audits — reviewing what OAuth tokens are active, what scopes they carry, and when they were last validated — have a meaningful advantage here. NIST SP 800-63B addresses credential binding and lifecycle management; the same principles apply to delegated tokens in SaaS supply chains.
The human layer matters too. Employees at SaaS vendors like Klue are high-value phishing targets precisely because of the downstream access their credentials unlock. Security-awareness training that specifically covers credential phishing in a SaaS-integration context — not just generic email phishing — is one of the few controls that reduces the probability of initial access before a token is ever stolen. Organisations that have not reviewed their third-party integration inventory recently should treat this incident as the prompt to do so.
"The token is the crown jewel, not the password," said one identity security architect commenting on the broader OAuth abuse trend in 2024. "Attackers figured that out. Most security programs have not caught up."
Klue has not released indicators of compromise, a timeline of when tokens were issued, or details on when revocation occurred. That absence is itself a problem for affected customers who need to scope their own exposure.
Immediate Actions for Affected Organisations
- Rotate all OAuth tokens issued to Klue and any other third-party SaaS connectors with access to your Salesforce org immediately.
- Audit Salesforce connected app records and login history. Look for API calls made outside normal business hours or from unfamiliar IP ranges.
- Preserve logs in anticipation of regulatory inquiry. Do not let standard retention windows delete evidence before you understand the scope.
- Assess materiality if your organisation is publicly traded. The four-business-day clock under SEC Item 1.05 starts from the determination, not the disclosure.
- Review all active SaaS integrations for scope creep. Tokens issued with full read/write access when read-only would suffice are a liability, not a feature.
If your security program does not yet include a formal review process for third-party OAuth grants, reviewing industry frameworks and compliance standards is a practical starting point for building one.
The Icarus brand is new. The technique — steal delegated credentials, monetise downstream trust — is not. Every organisation that has connected a SaaS tool to a production CRM should treat this incident as a stress test of their own supply-chain security posture.
How This Could Have Been Prevented
- Train employees at SaaS vendors and their customers to recognise credential-phishing attacks specifically designed to harvest OAuth and session tokens — generic phishing training misses this threat vector entirely.
- Establish a quarterly connected-app audit process: review every active OAuth token, validate its required scope, and revoke grants from vendors that no longer need access.
- Align your third-party integration security practices with NIST SP 800-63B and supply-chain risk frameworks so token lifecycle management is a documented, repeatable control rather than an ad-hoc task.
Train2Secure's security-awareness programmes include SaaS credential phishing modules designed for exactly this kind of supply-chain threat scenario.
Start free — no card requiredSources & further reading
- https://www.cisa.gov/topics/cyber-threats-and-advisories/cyber-incident-reporting-critical-infrastructure-act-circia
- https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555
- https://www.sec.gov/rules/final/2023/33-11216.pdf
- https://www.verizon.com/business/resources/reports/dbir/
Frequently asked questions
What did the Klue breach actually expose?
Attackers stole OAuth tokens Klue held to connect its competitive intelligence platform to customer Salesforce tenants. Those tokens gave attackers delegated access to downstream Salesforce data belonging to Klue's customers — not credentials to Klue's platform itself.
Do Klue's customers need to file an SEC 8-K over this incident?
Publicly traded customers must evaluate whether their own exposure is material under the SEC's December 2023 cybersecurity disclosure rule. The four-business-day filing clock runs from the date of a materiality determination, not from the date of the breach itself.
How do you defend against OAuth token theft at a third-party vendor?
Regularly audit connected apps and the OAuth tokens you have granted to SaaS integrators. Apply least-privilege scopes, set token expiry policies where the platform allows, and review Salesforce login history and API call patterns for anomalous activity.
Is Salesforce itself vulnerable in this incident?
No. Salesforce was the downstream target, not the source of the compromise. The root cause was a stolen token stored inside Klue's environment. This is a supply-chain issue — attackers exploited delegated trust rather than any flaw in Salesforce's platform.


