Klue OAuth Supply Chain Attack Hits LastPass Salesforce Data

The broader pattern here is not unusual. Third-party involvement in breaches doubled from 15% to 30% in a single year - the largest single-year shift ever recorded - per the Verizon 2025 Data Breach Investigations Report, which analyzed over 22,000 incidents across 139 countries. When a trusted integration holds live OAuth tokens, it becomes a target that can bypass the primary vendor's own defenses entirely.

How Did Attackers Steal Klue OAuth Tokens?

The entry point was a single forgotten credential - specifically, a dormant service account created for a prototype integration that was abandoned but never decommissioned. According to Huntress's forensic investigation, attackers gained initial access to Klue on June 11, 2026 using that long-disused but still-active credential, then pivoted to steal OAuth tokens that Klue's customers used to query their CRM tools directly. That one unrevoked account unlocked the entire downstream attack chain.

After harvesting the tokens, attackers moved fast. ReliaQuest observed automated Python scripts querying Salesforce's REST API for nearly 24 continuous hours, with close to a thousand API queries fired in a single 15-minute window in at least one victim environment. Reconnaissance ran through the /services/data/v59.0/sobjects endpoint before bulk exfiltration began, per BleepingComputer's coverage of the broader campaign. The speed and automation suggest the attackers came prepared with tooling built specifically for Salesforce REST API enumeration.

When we reviewed the API query patterns described in the ReliaQuest findings, the volume - nearly 1,000 calls in 15 minutes - would exceed Salesforce's default API governor limits for most connected apps, which means standard monitoring thresholds would likely have flagged this. The fact that it went undetected long enough to complete exfiltration points to either absent alerting or alerts that were not actioned in time.

The prior Salesloft-Drift OAuth token supply chain attack in August 2025 followed a near-identical pattern: persistent OAuth refresh tokens were leveraged across more than 700 downstream organizations, with the blast radius found to be 10 times greater than incidents where attackers infiltrated Salesforce directly, per Obsidian Security. The Klue breach confirms that this attack class is repeatable and scaling.

Who Is the Icarus Extortion Group?

A newly emerged extortion group called Icarus has claimed responsibility for this campaign. The group has been active since at least April 28, 2026, running a systematic extortion campaign against multiple organizations by contacting victims through Session Messenger and issuing 48-hour ransom deadlines, threatening to publish or sell stolen data if payment is not received. Datadog Security Labs published technical indicators and detection guidance tied to Icarus activity across Salesforce environments.

Icarus is a new name, but the tactics follow a pattern the security industry has seen before. Deadline-pressure extortion after CRM data theft - contact via encrypted messenger, short payment window, threat of public exposure - mirrors campaigns from earlier groups targeting SaaS-connected environments. What makes Icarus distinct is the deliberate focus on OAuth token theft as the initial access vector rather than phishing or direct vulnerability exploitation. That specificity suggests a group with targeted tooling, not opportunistic actors.

For context on how similar groups use multi-stage access techniques to avoid detection, see how the Gentlemen ransomware group deployed a multi-EDR killer suite to blind defenses before exfiltrating data - a comparable approach to staying inside an environment undetected long enough to complete the job.

Who Else Did the Klue Breach Affect?

LastPass is not alone. At least nine organizations confirmed data exfiltration in the Klue breach. The confirmed victim list, as reported by BleepingComputer:

• HackerOne
• Huntress
• Jamf
• Recorded Future
• Tanium
• Snyk
• OneTrust
• Sprout Social
• Insurity

The data stolen from these Salesforce CRM systems included business contacts, price quotes, sales communications, and opportunity notes, according to TechCrunch's investigation of the wider breach. For any competitor or nation-state actor, that category of data - pricing strategy, active deal flow, named contacts - carries significant intelligence value.

Salesforce responded on June 17, 2026, disabling the Klue Battlecards app connection across all customer environments after detecting suspicious activity. The company stated the issue originated from Klue's integration, not a flaw in the Salesforce platform itself. This mirrors the pattern seen in the broader Klue OAuth breach disclosure from June 2026, where the platform was the delivery mechanism, not the vulnerability.

The financial exposure from incidents like this is significant. A supply chain compromise costs an average of $4.91 million and takes 267 days to identify and contain - the longest breach lifecycle of any vector tracked - per the IBM 2025 Cost of a Data Breach Report.

What Should Admins Do About OAuth Supply Chain Risk?

If your organization uses Klue, any Salesforce-connected third-party OAuth app, or similar market intelligence integrations, act now. The core problem this incident exposed is not unique to Klue: OAuth tokens held by third parties create a persistent access surface that most organizations do not actively monitor or revoke. The steps below address the immediate incident and the structural gap it revealed.

• Audit all connected OAuth apps in Salesforce via Setup > Connected Apps > Manage Connected Apps, and revoke tokens for any app not actively in use.
• Review your Salesforce API usage logs for queries to /services/data/v59.0/sobjects - high-frequency requests from any connected app need investigation.
• Rotate all OAuth tokens associated with Klue or any vendor confirmed as involved in this incident.
• Search your identity provider for dormant or legacy service accounts tied to integrations that are no longer active, then decommission and delete them.
• Enable Salesforce Event Monitoring if not already active, and configure alerts for API call volume thresholds that would catch automated query bursts like the ones ReliaQuest documented.
• If you received contact via Session Messenger from an unknown party referencing your Salesforce data, preserve the communication and notify your incident response team before responding.

The credential reuse problem extends beyond Salesforce integrations. The FortiBleed leak that exposed VPN credentials for 73,932 Fortinet devices is a reminder that dormant credentials - whether on a VPN appliance or a prototype integration account - are consistently among the most exploited entry points in breach investigations. The median time to remediate leaked secrets found in a repository was 94 days, per the Verizon 2025 DBIR, which means most organizations are carrying active exposure far longer than they realize.

For teams managing identity controls via Intune, the step-by-step guide to deploying a trusted root certificate with Intune covers the certificate and trust infrastructure that underpins OAuth flows in managed environments. Additionally, the Intune Scope Tags setup guide for sysadmins is useful context if you are segmenting access by department to limit the blast radius of a compromised integration account.

Broken access controls at the identity layer enabled this breach. The Broken Entra Access Controls that exposed FIFA World Cup streams shows a different surface with the same root cause: when token-based access is not scoped tightly and audited regularly, the exposure compounds fast.

Frequently Asked Questions

Was LastPass vault data or user passwords stolen?

No. LastPass confirmed the breach affected data within its Salesforce CRM environment only. Encrypted vault data, master passwords, and authentication credentials stored in the LastPass product were not accessed or exposed.

Is this a Salesforce vulnerability?

No. Salesforce confirmed the issue originated with Klue's integration. The attack exploited OAuth tokens that Klue held on behalf of customers, allowing attackers to authenticate as a legitimate connected app without exploiting any flaw in the Salesforce platform itself.

What type of data was taken from affected organizations?

Stolen data was limited to CRM content: business contacts, price quotes, sales communications, and opportunity notes. No password databases or financial account records have been reported as part of the confirmed exfiltration across the nine affected organizations.

Should LastPass users change their master passwords?

Based on current disclosures, changing your master password is not required for this specific incident. However, if you reuse your LastPass account email address or password elsewhere, this is a good time to confirm those credentials are unique and not recycled across other services.

How did attackers stay undetected long enough to complete exfiltration?

ReliaQuest's findings point to the use of automated Python scripts that mimicked legitimate connected-app behavior. The queries ran through a standard Salesforce REST API endpoint, making them hard to distinguish from normal Klue integration traffic without volume-based alerting in place.