Klue's Dormant OAuth Token Let Hackers Loot Salesforce in 15 Minutes

Klue, a competitive intelligence platform used by enterprise sales teams, disclosed in June 2026 that a threat actor had obtained a long-lived OAuth refresh token associated with a deprecated integration between Klue and Salesforce. The token granted read access to Salesforce CRM objects — accounts, contacts, opportunities, and competitive battlecards — for organizations that had set up the integration and never explicitly revoked it when they stopped using the feature. Researchers at Permiso Security who analyzed the attack pattern named it "Icarus" and estimated the exfiltration window at approximately 15 minutes per affected tenant before Salesforce anomaly detection triggered alerts.

Key Takeaways

• A threat actor stole a long-lived OAuth refresh token from Klue's deprecated Salesforce integration and used it to access CRM data at multiple enterprise clients.
• The integration had been functionally discontinued by Klue but the OAuth authorization grants in affected customers' Salesforce orgs were never revoked.
• Data exfiltrated includes Salesforce accounts, opportunity pipeline values, contacts, and competitive intelligence battlecards — high-value targets for corporate espionage.
• The attack class — "dormant OAuth token abuse" — is widespread across SaaS environments and exploits the gap between feature deprecation and authorization cleanup.
• Organizations should audit their Salesforce Connected Apps and OAuth authorization logs immediately; the attack pattern is applicable to any CRM or cloud system with SaaS integrations.

How the Icarus Attack Worked

The attack exploited a three-stage failure chain that security researchers at Permiso describe as increasingly common in SaaS-heavy enterprise environments:

• Stage 1 — Dormant token acquisition: The threat actor obtained a long-lived OAuth refresh token from Klue's infrastructure. Klue has not disclosed whether the token was stolen via a breach of Klue's own systems, a phishing attack against an employee with access to integration credentials, or exposure in a code repository or configuration file. Long-lived refresh tokens, unlike short-lived access tokens, do not expire unless explicitly revoked — making them high-value persistent credentials.
• Stage 2 — Authorization scope exploitation: The token retained the scopes granted when the integration was set up: read access to Salesforce objects including accounts, opportunities, contacts, and custom objects. The Klue integration had been functionally discontinued — Klue was no longer making API calls with it — but the authorization grant in each customer's Salesforce org remained active. The token still worked.
• Stage 3 — Rapid exfiltration: Using Salesforce's SOQL (Salesforce Object Query Language) API, the threat actor ran bulk queries against affected orgs, downloading pipeline data and competitive intelligence content before Salesforce's anomaly detection flagged the unusual query volume. The 15-minute window per tenant was sufficient to extract tens of thousands of records.

Why OAuth Tokens Are the New Forgotten Password

OAuth was designed to decouple authorization from authentication — a user authorizes a third party application to access their data without sharing their password, and the authorization can be revoked independently of the account. In practice, authorization revocation almost never happens.

A typical enterprise Salesforce org has dozens to hundreds of connected applications — marketing automation tools, competitive intelligence platforms, analytics integrations, data enrichment services. Each was set up by someone with Salesforce admin access, usually to solve a specific problem. When that tool is discontinued, decommissioned, or replaced, the Salesforce connected app authorization is rarely cleaned up. It simply stops being used. But it does not stop being valid.

The Icarus attack demonstrates what happens when a threat actor acquires the token for one of those forgotten authorizations. From the Salesforce API's perspective, the request is legitimate — it comes from an authorized application with valid credentials. There is no failed login to detect, no brute-force pattern to block, no anomaly in the token itself. The only signal is the query volume, which Salesforce's anomaly detection caught after 15 minutes rather than immediately.

What Was Stolen and Why It Matters

The data exfiltrated from affected Salesforce orgs includes competitive intelligence that sales teams consider among their most sensitive internal assets. Battlecards — structured documents describing how to position a product against specific competitors — represent months of competitive research. Opportunity pipeline data shows which deals are in progress, at what stage, and for what contract value. Account and contact data includes buying committee members, decision-maker details, and renewal dates.

This is not the kind of breach that generates news because of a large patient count or visible consumer harm. It is the kind that generates competitive advantage for the attacker. The stolen data could be sold to competitors, used to time competitive interventions at vulnerable deal stages, or leveraged for targeted executive inbox compromise — a pattern seen in the stock exchange executive breach earlier in 2026.

The number of affected Klue customers has not been disclosed. Klue's customer base includes enterprise sales organizations in technology, financial services, and manufacturing — sectors where competitive intelligence is operationally critical and a data breach carries reputational as well as legal consequences. Corporate espionage operations like APT10 have long targeted exactly this category of internal sales and strategy data.

What Security and IT Teams Should Do Now

The Icarus attack pattern is not specific to Klue or Salesforce — it applies to any SaaS platform that uses OAuth for third party integrations. The mitigation checklist is the same regardless of the platform:

• Audit your Salesforce Connected Apps. In Salesforce Setup, navigate to Connected Apps > Connected Apps OAuth Usage. Review every connected application. For any app not in active production use, revoke the authorization immediately. "We might use it someday" is not a security posture.
• Enforce token expiration policies. Salesforce allows administrators to configure session timeout and refresh token policies per connected app. Long-lived refresh tokens with no expiration should not exist in production. Configure your OAuth policies to expire refresh tokens after a defined inactivity period (30 days is a reasonable default).
• Implement least-privilege scopes. Review the permission scopes granted to each connected application. An integration that reads Salesforce contacts does not need read access to opportunities and custom objects. Restrict scopes to the minimum required for the integration's stated function.
• Monitor Salesforce API query volume. Bulk SOQL queries that download thousands of records in a short window are anomalous. Configure Salesforce Event Monitoring (available in Enterprise and Unlimited editions) to alert on unusually high API query rates from connected applications.
• Repeat this audit across all SaaS platforms. The same review is warranted in Google Workspace (Connected Apps), Microsoft 365 (App Registrations and Consent), HubSpot, Marketo, and every other platform with OAuth integrations in your environment.

The Broader SaaS Integration Attack Surface

The Icarus attack is one of a growing class of SaaS supply chain attacks that exploit the gap between what a vendor's integration is authorized to access and what an organization's security team knows about. When a sales rep connects a competitive intelligence tool to Salesforce, they typically grant the broadest scopes available to make the integration work. When that tool changes its feature set, the authorization scopes do not change with it.

Organizations running hundreds of SaaS applications across multiple cloud platforms have accumulated authorization grants across dozens of systems that no individual knows the full extent of. This is not negligence — it is the natural consequence of SaaS adoption at scale, where integration velocity is prioritized and cleanup is always deferred. The Icarus attack demonstrates that deferred cleanup has a defined cost, payable in competitive intelligence, pipeline data, and the kind of breach that does not make headlines but causes lasting damage.