BreachesJun 23, 2026
Scope of Salesforce Attacks Expands as Icarus Leaks Data
Salesforce data stolen via Klue OAuth token breach, Icarus threat actor claims responsibility.
Summary
The scope of recent attacks has widened as the Icarus threat actor claims to have exfiltrated data from multiple Salesforce customers. The attackers initially compromised application vendor Klue, exploiting its OAuth tokens to gain unauthorized access to customer data stored within Salesforce. This incident highlights the risks associated with third-party access and the potential for supply chain attacks to impact downstream customers.
Indicators of Compromise
- malware — Icarus
Entities
Salesforce (product)OAuth tokens (product)Klue (vendor)Icarus (threat_actor)