Threat Actors Exploit OAuth Tokens to Access Salesforce Data

Market intelligence platform Klue has confirmed a security incident that allowed threat actors to steal OAuth tokens connected to customer Salesforce environments. The breach has now expanded as the threat group known as "Icarus" publicly claimed responsibility and began naming alleged victims on its extortion portal.

According to reports, attackers abused a compromised legacy credential tied to a dormant prototype integration. This allowed them to obtain OAuth tokens and use them to access connected Salesforce instances without requiring user passwords or bypassing multifactor authentication.

Security firms investigating the incident observed attackers querying Salesforce environments at scale, extracting sensitive business information from affected organizations. Klue stated that the incident was contained and that the compromised credential was revoked after discovery.

Incident Overview

How the Attack Worked

The attackers reportedly gained access to a legacy credential associated with an unused prototype integration. Using that credential, they were able to retrieve OAuth tokens that granted access to connected Salesforce customer environments.

Because OAuth tokens serve as trusted authorization mechanisms, possession of a valid token can provide access to cloud resources without requiring the account password. Once authenticated, the threat actors allegedly performed extensive API queries against Salesforce environments to collect customer data.

Investigators observed activity patterns consistent with large-scale data collection, including repeated API requests against customer records and sales-related datasets.

Data Potentially Exposed

Klue and investigators indicate that the compromised data may include:

• Business contact information

• Customer relationship records

• Internal sales communications

• Pricing and quote information

• Competitive intelligence reports

• Salesforce account data linked to Klue integrations

The company stated that passwords, payment card information, and direct authentication credentials were not exposed as part of the incident.

Icarus Claims the Attack

Following public disclosure of the incident, the threat actor known as Icarus claimed responsibility and began listing alleged victims on its extortion infrastructure. The group has been active throughout 2026 and has been associated with multiple data theft and extortion campaigns targeting SaaS platforms and cloud-connected environments.

As is common in modern extortion operations, attackers are attempting to pressure affected organizations into negotiations by threatening to leak stolen data publicly. At the time of reporting, investigations into the full scope of impacted organizations remain ongoing.

Why OAuth-Based Attacks Are Increasing

OAuth integrations simplify access between cloud applications but can create significant security risks when tokens or integration credentials are compromised.

Unlike passwords, OAuth tokens often:

• Remain valid for extended periods

• Operate with broad permissions

• Allow API access without interactive login

• Can bypass traditional password-reset protections

Threat actors increasingly target third-party SaaS integrations because compromising a single integration can provide access to multiple downstream customer environments.

Recommended Mitigation Steps

Organizations using SaaS integrations should take the following actions:

1. Audit OAuth Applications

Review all connected OAuth applications and remove unused or legacy integrations.

2. Rotate Integration Credentials

Immediately rotate credentials associated with third-party integrations and service accounts.

3. Monitor API Activity

Implement monitoring for unusual API requests, excessive data exports, and suspicious access patterns.

4. Enforce Least Privilege

Limit OAuth scopes and permissions to only the resources necessary for business operations.

5. Review Third-Party Risk

Continuously assess vendors and SaaS providers that maintain access to corporate systems and data.

6. Establish Token Revocation Procedures

Ensure security teams can rapidly revoke OAuth tokens during incident response activities.

Key Takeaway

The Klue breach highlights how attackers are increasingly targeting OAuth integrations rather than traditional user credentials. By compromising a single integration credential, the Icarus threat group allegedly gained access to Salesforce-connected environments and valuable business data across multiple organizations.

As SaaS ecosystems continue to expand, organizations must treat OAuth tokens and third-party integrations as highly privileged assets, applying the same level of monitoring, access control, and incident response preparedness used for traditional credentials.