Salesforce Disables Klue App After OAuth Token Theft Leads to Data Exposure

Salesforce disabled Klue's app integration after attackers used a legacy credential to steal OAuth tokens and extract CRM data from multiple customer environments.

CSBadmin
2 Min Read

Breach Overview

Salesforce disabled the Klue Battlecards app integration on June 11, 2026, after detecting unusual activity that allowed unauthorized access to customer data. The breach did not stem from a vulnerability in Salesforce’s platform itself, but rather from compromised OAuth tokens obtained through Klue’s integration infrastructure. A threat actor known as Icarus gained access using a legacy credential associated with an abandoned prototype integration, then pushed code updates to steal OAuth tokens used by Klue customers to connect their Salesforce environments.

Impact and Scope

Multiple security vendors and firms publicly confirmed data exposure, including Huntress, Jamf, Recorded Future, Tanium, Gong, and LastPass. The exfiltrated data primarily included business contacts, price quotes, sales records, and CRM data such as names, email addresses, and job titles. No passwords, payment card information, or sensitive security telemetry was affected. The attackers used automated Python scripts to query Salesforce REST APIs for bulk data retrieval, running continuous query loops for up to 24 hours. ReliaQuest noted the attack pattern mirrored previous OAuth abuse campaigns targeting Salesforce through third-party integrations like Salesloft Drift and Gainsight.

Response and Attribution

Klue revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, and launched a comprehensive investigation. Huntress employees received extortion emails warning that their Salesforce data had been downloaded and demanding communication within 48 hours. Icarus, active since April 2026, has claimed two victims total. Security researchers found no direct connections to prior Salesforce attacks, but emphasized the growing trend of SaaS supply chain breaches where compromising one vendor grants access to hundreds of enterprise environments.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.