Security Bulletin: Klue Integration Compromise and Salesforce OAuth Token Abuse

Klue Integration Compromise and Salesforce OAuth Token Abuse

PoC or Exploitation:
Active compromise and data exfiltration are confirmed. Klue disclosed that it identified unauthorized activity affecting part of its integration infrastructure on June 12, 2026. The attacker gained access through a compromised legacy credential associated with an integration service, obtained OAuth tokens used to connect Klue with third-party platforms including Salesforce, and accessed data in connected customer environments.

The activity has been associated in public reporting with the Icarus extortion group. Huntress reported that Icarus listed Klue on its leak site and claimed that Salesforce instances belonging to Klue partners had been exfiltrated.

Update / Patch:
Klue stated that it revoked affected credentials and tokens, removed unauthorized code, disabled potentially impacted integrations, launched a comprehensive investigation, notified law enforcement, and engaged CrowdStrike to support the investigation and response.

Salesforce disabled the Klue Battlecards app integration after detecting unusual activity involving the app. Salesforce stated that the issue was limited to Klue's app connection and did not arise from a vulnerability in the Salesforce platform.

Affected environments may include organizations that connected Klue integrations to Salesforce or other third-party platforms using OAuth-based access. Klue stated that, based on its investigation to date, the incident was limited to affected third-party platforms and there was no evidence that customer content stored within the Klue platform was impacted.

Description:
Klue is a competitive intelligence and sales enablement platform that integrates with customer business systems, including CRM platforms. In this incident, an attacker reportedly abused a compromised legacy credential tied to Klue integration infrastructure to obtain OAuth tokens for connected third-party platforms. Those tokens were then used to access data in customer environments, including Salesforce.

Huntress disclosed that data copied from its Salesforce account included business contacts, price quotes, other sales-related data, and messaging. Huntress stated that threat data, passwords, payment card information, engineering data, Huntress agent data, and telemetry were not affected.

ReliaQuest reported that observed attacker activity involved authentication through a compromised Klue integration service account, OAuth token generation, and automated Python scripts using Python-urllib user-agent strings. The activity included Salesforce REST API enumeration through /services/data/v59.0/sobjects, repeated queries against /services/data/v59.0/query, and pagination using QueryMore cursors over extended periods.

Observed targets include:

• Salesforce CRM records
• Business contacts
• Sales opportunity data
• Price quotes
• Sales-related messages
• Customer and partner business metadata
• OAuth tokens associated with Klue-connected third-party platforms

Mitigation Recommendation:
Organizations using Klue integrations should immediately review whether Klue was connected to Salesforce or other third-party platforms and validate whether their tenant was included in Klue's customer notifications.

Revoke and reauthorize Klue-related OAuth grants and app connections where applicable.

Rotate credentials and secrets associated with affected integrations including:

• Klue integration credentials
• Salesforce connected app tokens
• OAuth refresh tokens
• API tokens used by CRM integrations
• Service account credentials
• Third-party SaaS integration credentials

Perform retrospective hunting for:

• Unusual Salesforce OAuth token generation
• Klue Battlecards or Klue integration account access anomalies
• Python-urllib user-agent activity against Salesforce APIs
• High-volume Salesforce REST API queries
• Access to /services/data/v59.0/sobjects
• Access to /services/data/v59.0/query
• QueryMore cursor pagination over long sessions
• Bulk export or enumeration of CRM objects
• Suspicious access from trusted integration accounts
• Unexpected connected app authorization or reauthorization events
• Access to Salesforce records outside normal integration behavior

Recommended response actions:

• Confirm whether Klue integrations were enabled in the environment
• Disable or restrict Klue integrations until validation is complete
• Revoke affected OAuth tokens and require reauthorization after review
• Review Salesforce Connected Apps and OAuth usage logs
• Audit CRM object access, exports, and API query activity from June 11, 2026 onward
• Validate whether sales records, opportunity notes, quotes, or business contact information were accessed
• Notify legal, privacy, and customer response teams if regulated or sensitive business data was exposed
• Apply least-privilege permissions to third-party SaaS integrations
• Monitor non-human identities and service accounts with the same rigor as employee accounts
• Establish alerting for high-volume CRM API queries, unusual user agents, and persistent OAuth token use

Restrict third-party integrations that maintain broad or persistent CRM access until permissions and monitoring are reviewed.

References:
https://klue.com/blog/an-update-on-recent-klue-security-incident
https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft/
https://status.salesforce.com/generalmessages/20000257
https://www.huntress.com/blog/klue-breach-investigation
https://www.recordedfuture.com/blog/klue-security-incident
https://www.jamf.com/blog/klue-incident/