We Named the Klue OAuth Breach on June 18. The Victim List Just Filled In — and It's Security Vendors. Again.

On June 18 we wrote that a crew calling itself Icarus had breached Klue, stolen OAuth tokens "for everything," and that an operator signing as "Mr Bean" was sending the extortion emails. We said the attack class was not new — it was the third Salesforce OAuth breach in twelve months. Today the downstream victim list filled in, and it reads like a security-industry conference badge rack: HackerOne, Gong, OneTrust, Tanium, Huntress. We are not surprised. We told you the door was open. Here is why the names landing now matter less than the door that keeps being left open.

Let us be precise about what we are claiming and what we are not, because the discipline is the whole point. We did not name these specific downstream victims first — they are surfacing now through the companies' own disclosures and reporting, which is exactly how it should work. What we named, twelve days ago and repeatedly over the preceding nine months, was the attack class: third-party SaaS integration tokens as the soft underbelly of every Salesforce tenant they touch. The victims are the field's news today. The pattern was ours to call, and we called it.

The chain, in our own footprints

This is the fourth time we have stood at this exact door, and the receipts are dated.

In September 2025 we published "OAuth's Blind Spot" on the Salesloft/Drift compromise — the original demonstration that a stolen integration token is a skeleton key to every CRM that trusts it. On June 2 we wrote how ShinyHunters used TruffleHog, a free open-source secrets scanner anyone can run in thirty seconds, to pull OAuth tokens out of source code and exfiltrate roughly 1.5 billion records from 760 organizations. On June 5 we covered the federal takedown of their leak site and made the unpopular point that closing a leak site does not close an attack class. And on June 18 we wrote up Icarus hitting Klue — a competitive-intelligence SaaS that, like Drift before it, holds OAuth grants into its customers' Salesforce environments.

Today is the part we said would come: the customers of the breached integration discovering they were downstream all along.

Why it is security vendors, again

There is a detail in this victim list that should not slide past, and we have flagged it before. When the Salesloft breach landed, we published a piece specifically about the twelve security vendors who turned up in that victim list, because there is a bitter irony worth sitting with: the companies that sell other companies their defenses run the same sprawl of OAuth-connected SaaS as everyone else, and they get caught by it the same way.

HackerOne. Tanium. Huntress. These are not careless shops. They are some of the more security-literate organizations on the planet, and they were exposed because a competitive-intelligence vendor they connected to Salesforce got its tokens stolen. That is not an indictment of their security teams. It is a demonstration that the OAuth-integration attack surface is invisible to even the best internal programs, because the vulnerable thing is not in your environment — it is the token you handed a third party, sitting in that third party's source code or logs, one TruffleHog run away from a stranger.

This is the same lesson as the Nissan piece we ran yesterday, and the Texas Parks license-system breach that hit the wire this morning: your security posture inside your own walls does not govern the data you have placed in someone else's. The crews have fully internalized this. They do not breach the security vendor. They breach the SaaS the security vendor trusts.

What to actually do, in plain order

First, inventory your OAuth grants like the credentials they are. Every "Connect to Salesforce" button a vendor offered and someone clicked is a standing key. Most organizations cannot produce that list on demand, which is precisely why this attack class keeps paying.

Second, scope and expire those grants. An integration that needs to read opportunities does not need full API access to every object in the tenant, and a token that never expires is a permanent liability. Least privilege and short lifetimes turn a catastrophic token theft into a contained one.

Third, watch for the exfiltration signature, not just the login. These breaches do not look like a brute-forced password. They look like a legitimate, authorized integration suddenly running bulk SOQL queries and pulling Account and Contact tables at volume. If your monitoring is tuned only for failed logins, quiet mass-export through a trusted token is invisible until the extortion email arrives.

Fourth, assume the token is already copied and rehearse the revocation. The thing these crews hold over you is publication of what they already took. The only move that blunts it is knowing, in advance, exactly which grants to kill and what each one could reach.

The honest cap

We cap our confidence at 95%, and here is the missing five percent. The downstream victim list is still expanding as of this writing; some names attached to this campaign will be confirmed, some revised, and the full scope is the attacker's claim until each company verifies its own exposure. "Icarus" and "Mr Bean" may be a rebrand, an affiliate, or a copycat riding the ShinyHunters playbook rather than the same hands — the OAuth-token method is now common property, which is itself the point. None of that changes the defensive conclusion. Whoever is holding the keyboard, the key they are using is one your organization, or your vendor, handed out and never took back. Revoke it.

DugganUSA builds threat intelligence from first-hand collection and a curated, inspectable corpus of more than 24 million documents. Victim figures and attribution here are drawn from public reporting and adversary claims and are treated as claims, not confirmed facts; we cap our confidence at 95% because something is always wrong. This is the fourth entry in our running coverage of the Salesforce OAuth-integration attack class, beginning with "OAuth's Blind Spot" in September 2025.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register