Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Icarus Salesforce data-theft extortion campaign

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The Icarus extortion campaign is actively stealing Salesforce CRM data from multiple organizations, expanding pressure on victims and showing a repeatable cloud-app abuse pattern. The operation uses stolen OAuth tokens and automated queries against Salesforce REST API endpoints to map objects and pull records. Victims then receive extortion emails tied to the alias mr bean, while leak-site messaging signals continuing activity.

Related Happenings

Klue hit by network compromise

Incident
H score38 First: 18.06.2026 17:19 Last: 18.06.2026 17:19 Sources 1

How related: According to Huntress, Klue told customers that attackers first compromised the company's backend systems and then pushed a malicious code update that stole OAuth tokens customers use to integrate the Battlecards product with third-party platforms.

About this happening: The **Klue** backend compromise and **OAuth token theft** enabled unauthorized access to connected **Salesforce** environments and triggered an **ongoing extortion** response. Att...

Open Happening

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
H score37 First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

Over a dozen companies data exposed after SaaS integration provider Snowflake breach

Data Leak
H score69 First: 07.04.2026 22:39 Last: 07.04.2026 22:39 Sources 1

About this happening: A stolen-token attack from a **SaaS integration provider breach** has led to data theft claims affecting **over a dozen companies**, creating immediate exposure and extortion risk...

Open Happening

Custom vishing campaign stealing Okta SSO credentials

Campaign
H score44 First: 22.01.2026 23:43 Last: 22.01.2026 23:43 Sources 1

About this happening: A **custom vishing campaign** is actively stealing **Okta SSO credentials** through live, adversary-in-the-middle phishing pages, creating immediate risk of account takeover and d...

Open Happening

Timeline

  1. 18.06.2026 17:19 2 articles · 2h ago

    Icarus-linked OAuth breach steals Salesforce data from multiple organizations

    Initial Disclosure

    Klue's Battlecards integration was implicated in an OAuth breach that let Icarus steal Salesforce CRM data from multiple organizations, with ReliaQuest and Huntress describing token theft, automated Salesforce API querying, and extortion emails sent to impacted Klue customers. Salesforce disabled the Klue Battlecards integration while the breach was investigated.

    Show sources
    Open in new tab