Klue Salesforce OAuth Breach: CRM Data Stolen Through Trusted App

by Emma Davis
1 minute ago

Salesforce disabled Klue Battlecards after attackers abused OAuth tokens to pull CRM data from connected customer environments. Here is what affected teams should check now.

Salesforce has disabled the Klue Battlecards app connection after attackers abused Klue-related OAuth access to pull customer CRM data through trusted integrations. Salesforce said the issue is limited to Klue’s app connection and is not a Salesforce platform vulnerability, but the practical risk is still serious for any organization that connected Klue to Salesforce, Gong, HubSpot, SharePoint, Zoom, Slack, or other business systems.[1]

The incident began around June 11, 2026, when anomalous activity hit Klue integration infrastructure. Klue later told customers that an attacker used a compromised legacy credential tied to an integration service, obtained OAuth tokens for third-party platforms, and accessed data in connected customer environments. Klue says it revoked affected credentials and tokens, removed unauthorized code, stopped remote access, disabled potentially impacted integrations, notified law enforcement, and contacted affected customers.[2]

This matters because OAuth integrations often behave like quiet, long-lived service accounts. If a token is stolen, the attacker does not need a user’s password or a fresh MFA prompt. From the SaaS platform’s point of view, the request can look like traffic from an approved app. That is the same defensive blind spot behind recent token and session-theft stories, including AiTM phishing that bypassed MFA and other credential-theft campaigns tracked by howtofix.guide.

What Klue and Salesforce customers should check

ReliaQuest observed attackers authenticating through a compromised Klue integration service account, generating OAuth tokens, and using automated scripts to enumerate and query Salesforce data. The activity included calls to /services/data/v59.0/sobjects, repeated requests to /services/data/v59.0/query, QueryMore pagination, and Python user agents such as Python-urllib. In one environment, ReliaQuest saw almost a thousand Salesforce queries in a 15-minute burst; in another, extraction lasted more than six hours.[3]

Huntress, one of the affected Klue customers, confirmed that its Salesforce CRM data was copied. The company said the stolen material included business contacts, price quotes, sales-related messaging, product pricing data, and competitive market reports, but not Huntress product telemetry, customer credentials, payment card data, or engineering systems. Huntress also tied the extortion messages to the newer Icarus actor and listed known suspicious IP addresses from Klue’s notification, including 138.226.246[.]94, 212.86.125[.]24, 213.111.148[.]90, and 94.154.32[.]160.[4]

For defenders, the immediate task is not only to ask whether Klue is installed. Check whether Klue or any similar SaaS integration had broad Salesforce object access, whether refresh tokens remain valid, and whether service-account activity moved outside normal business volume. Search Salesforce Event Monitoring, connected-app logs, identity-provider logs, SIEM data, and any vendor-provided access logs for unusual REST API query volume, unfamiliar IP addresses, QueryMore loops, Python-style user agents, and access to high-value objects such as Account, Contact, Opportunity, Lead, Contract, Task, Case, and custom pricing or sales-enablement objects.

Rotate more than passwords. Disable or re-authorize the Klue connected app, revoke active OAuth grants and refresh tokens, rotate client secrets, reset integration-service credentials, and terminate active sessions for affected systems. If the integration also touched Gong, Slack, Google Drive, SharePoint, or other platforms, repeat the same token and log review there. The same principle applies to exposed developer and API credentials, a risk seen in earlier API-key exposure and supply-chain infostealer cases.

Finally, reduce the blast radius before the next integration incident. Limit connected apps to least-privilege scopes, require admin approval for new OAuth apps, apply IP restrictions where the business flow allows it, alert on spikes in API query volume, and review dormant or prototype integration credentials. The Klue case is a reminder that trusted app identities need the same monitoring and offboarding discipline as privileged human accounts.

References

  1. Salesforce Trust Status. “Klue Battlecards app connection disabled.” June 2026. https://status.salesforce.com/generalmessages/20000257
  2. The Hacker News. “Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data.” June 19, 2026. https://thehackernews.com/2026/06/salesforce-disables-klue-app.html
  3. ReliaQuest Threat Research. “Klue Integration Abused in Salesforce Data Theft.” June 17, 2026. https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft/
  4. Huntress. “Cybercrime Breaches Klue: Salesforce Data Impacted for Many Victims, including Huntress.” June 18, 2026. https://www.huntress.com/blog/klue-breach-investigation
  5. Help Net Security. “Klue breach lead to Salesforce data theft, Huntress affected.” June 19, 2026. https://www.helpnetsecurity.com/2026/06/19/klue-salesforce-data-breach-huntress/

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment