LastPass Customer CRM Data Exposed via Klue OAuth Token Theft (Icarus Salesforce Supply-Chain Campaign) — Threadlinqs Intelligence
Threat ID: TL-2026-0926 · Severity: MEDIUM · Status: ACTIVE · Category: SUPPLY_CHAIN
Attribution: Icarus · FINANCIAL
The Icarus extortion group breached competitive-intelligence SaaS vendor Klue using a disused-but-active prototype integration credential, pushed a malicious code update that harvested customer OAuth
On June 11-12, 2026, threat actors tracked as the 'Icarus' extortion group compromised the backend infrastructure of Klue, a market/competitive-intelligence platform that integrates with Salesforce (and Gong) to synchronize CRM data. Initial access was achieved through a long-disused but still-active credential originally provisioned for prototype integration testing and never decommissioned. After gaining access, the actor pushed a malicious code update to Klue's integration service that was capable of collecting the OAuth tokens that Klue's customers had granted to connect Klue with their third-party systems (notably Salesforce).
Using the harvested OAuth bearer tokens, the attackers authenticated directly to victims' Salesforce REST APIs, bypassing traditional login controls and MFA because OAuth access tokens represent an already-consented, trusted API-based authentication relationship between services. The actors ran automated Python tooling — identifiable by default urllib user-agent strings — that executed bulk queries against the Salesforce REST API, in some cases running nearly a thousand queries in 15 minutes to enumerate and copy CRM objects at scale. Infrastructure used for the access has been associated with PROSPERO, a Russian bulletproof-hosting provider previously linked to Ivanti EPMM exploitation.
LastPass was notified of the Klue incident on June 12, 2026. Salesforce detected anomalous activity tied to the Klue 'Battlecards' connected app and disabled the Klue app integration on June 17, 2026, stating the issue was limited to Klue's app connection and did not stem from a vulnerability in the Salesforce platform itself. The data accessed in LastPass's Salesforce instance was limited to customer relationship records: names, email addresses, phone numbers, physical addresses, support-case details, and sales-related records. LastPass emphasized that its products, services, infrastructure, and encrypted customer password vaults were NOT affected, and that no sensitive authentication data was compromised. LastPass warned that the exposed contact details and CRM records could be weaponized to make phishing and social-engineering scams appear more credible.
The Icarus group, active since approximately April 28, 2026, follows the now-familiar third-party OAuth-abuse playbook seen in prior 2025 Salesforce supply-chain campaigns (e.g., Drift/Gainsight, ShinyHunters/UNC6395) but is assessed as a distinct, unrelated cluster with no confirmed link to those actors. Icarus sent extortion emails to victims (Huntress employees received such emails on June 16, 2026) and publicly claimed Klue as a victim on June 19, 2026. The campaign impacted many organizations beyond LastPass, including Huntress (3.4 GB exfiltrated), Jamf, Recorded Future, Tanium, Gong, Insurity, Sprout Social, OneTrust, HackerOne, and Snyk. There is no CVE associated with this incident; it is a credential-hygiene and trusted-integration abuse case rather than a software vulnerability.
Weaknesses (CWE)
CWE-1392, CWE-522, CWE-1059, CWE-294, CWE-672
Target sectors: technology, cybersecurity, saas, software, insurance
Target regions: North America, Europe, Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 15 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
SUPPLY_CHAIN, MEDIUM, threat intelligence, cybersecurity, T1583, T1587, T1199, T1195, T1078, T1059, T1078, T1528, T1552, T1550