Cybersecurity Alert: Klue OAuth Breach and Salesforce Data Exfiltration | FINRA.org

Cybersecurity Alert: Klue OAuth Breach and Salesforce Data Exfiltration

Member firms should be aware of a significant security breach affecting Klue, a business sales intelligence platform, that has resulted in unauthorized access to customer data stored in integrated third-party platforms, including Salesforce, HubSpot, Gong, and other CRM systems. The threat actor, identifying itself as "Icarus,”1 is conducting an ongoing extortion campaign targeting affected organizations. This Alert describes the incident and includes recommendations to help firms identify potential exposure and mitigate the threat.

Background

On June 12, 2026, Klue detected a security breach in which threat actor Icarus used a compromised service-account credential to access Klue's backend systems. The attackers exploited this access to steal customer OAuth2 tokens used to integrate Klue’s business competitor intelligence product “Battlecards” with third-party platforms, including Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. Using the stolen OAuth tokens, the threat actors accessed connected Salesforce instances directly and exfiltrated CRM data in bulk using automated Python scripts. The stolen data includes business contact information, support case data, and business intelligence reports.

In response to the incident, Salesforce and Gong have disabled the Klue Battlecards integration. Klue has also disabled integrations with multiple platforms while the investigation continues. More than a dozen organizations have confirmed impact, including LastPass, 8x8, Pendo, HackerOne, Huntress, Insurity, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, Tanium, BeyondTrust, NoPass (formerly LogMeIn), and GMS,3 among others.

Icarus has sent extortion emails to affected organizations using the alias "mr bean" and has established a Tor-based data leak site listing victims. Icarus is believed to have launched in April 2026 and is conducting an active extortion campaign.

Indicators of Compromise

Several companies have shared IP addresses and malicious email domains linked to the attacks:

IP Addresses:

  • 138.226.246.94
  • 212.86.125.24
  • 213.111.148.90
  • 94.154.32.160
  • 159.183.215.61
  • 159.183.181.239

Malicious Email Sender Domains:

  • baccarat.com[.]au
  • robinskitchen.com[.]au
  • house.com[.]au

Recommendations to Protect Your Firm

To protect against this incident and similar attacks, FINRA recommends member firms:

  • Identify whether your firm or any of your critical vendors use Klue Battlecards or have integrated Klue with Salesforce, HubSpot, or other third-party platforms.
  • Alert technology staff to the indicators of compromise listed above and direct them to examine Salesforce and related Software as a Service (SaaS) platform logs for:
    • activity originating from the suspicious IP addresses;
    • unusual API activity, particularly targeting REST API endpoints;
    • OAuth token usage patterns that deviate from normal business operations; and
    • automated or high-volume data queries occurring over short time periods.
  • Revoke and rotate OAuth tokens associated with Klue integrations immediately.
  • Terminate active sessions related to Klue integrations.
  • Monitor for extortion attempts: Watch for emails from suspicious senders (e.g., alias "mr bean") or communications originating from the malicious domains listed above. These emails may contain Session Messenger contact information or ransom demands. Remind employees that only communications from official support channels should be trusted.

This incident demonstrates how threat actors can compromise trusted platforms and exploit supply chain vulnerabilities. Firms should review their security configurations, verification protocols, and third-party integration controls.

Firms should also review their vendor risk management programs to ensure they have processes in place to respond to third-party security incidents, including policies, procedures, and controls related to cloud platform configuration and third-party service management. Related effective practices can be found in the Third-Party Risk Landscape section of the 2026 FINRA Annual Regulatory Oversight Report.

For questions related to this Alert or other cybersecurity-related topics, contact the FINRA Cyber and Analytics Unit (CAU). Both the FBI and CISA urge you to promptly report cyber incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the firm’s size and business model. 

1 Icarus is a ransomware and extortion threat actor that has been active since at least April 2026. The group operates a Tor-based data leak site that appeared in May 2026 and follows the common extortion model of stealing data and threatening public release. Early reporting indicated limited public victim listings, suggesting either a new operation or one still building visibility.

2 OAuth (Open Authorization) is an industry-standard authorization framework that allows users to grant third-party applications secure access to their data or accounts without sharing login credentials.

3 “BeyondTrust, LastPass Impacted by Klue-Salesforce incident,” SecurityWeek, https://www.securityweek.com/beyondtrust-lastpass-impacted-by-klue-salesforce-incident/.