Breach Overview
Salesforce disabled the Klue Battlecards app integration on June 11, 2026, after detecting unusual activity that allowed unauthorized access to customer data. The breach did not stem from a vulnerability in Salesforce’s platform itself, but rather from compromised OAuth tokens obtained through Klue’s integration infrastructure. A threat actor known as Icarus gained access using a legacy credential associated with an abandoned prototype integration, then pushed code updates to steal OAuth tokens used by Klue customers to connect their Salesforce environments.
Impact and Scope
Multiple security vendors and firms publicly confirmed data exposure, including Huntress, Jamf, Recorded Future, Tanium, Gong, and LastPass. The exfiltrated data primarily included business contacts, price quotes, sales records, and CRM data such as names, email addresses, and job titles. No passwords, payment card information, or sensitive security telemetry was affected. The attackers used automated Python scripts to query Salesforce REST APIs for bulk data retrieval, running continuous query loops for up to 24 hours. ReliaQuest noted the attack pattern mirrored previous OAuth abuse campaigns targeting Salesforce through third-party integrations like Salesloft Drift and Gainsight.
Response and Attribution
Klue revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, and launched a comprehensive investigation. Huntress employees received extortion emails warning that their Salesforce data had been downloaded and demanding communication within 48 hours. Icarus, active since April 2026, has claimed two victims total. Security researchers found no direct connections to prior Salesforce attacks, but emphasized the growing trend of SaaS supply chain breaches where compromising one vendor grants access to hundreds of enterprise environments.
Source: The Hacker News
