Salesforce Disables Klue App Integration After OAuth Token Breach Exposes Customer Data

Salesforce revealed that it has disabled the integration of the Klue Battlecards app within its platform in response to a security incident affecting a competing intelligence firm on June 11, 2026.

To that end, organizations will not be able to connect to Salesforce through the app until further notice, the American cloud-based software company noted in a notice published this week.

“Salesforce took this action because our security teams recently discovered unusual activity involving an application that may have resulted in unauthorized access to a subset of customer data through the application’s connection to Salesforce,” it noted. “This issue is limited to Klue’s app connectivity and does not stem from a vulnerability within the Salesforce platform.”

The development comes as a hacker group called Icarus compromised and extracted data from Klue’s customers, including cybersecurity firm Huntress.

“The data copied from our Salesforce account includes business contacts, price quotes, and other sales-related data and messages,” Huntress said. “No threat data, passwords, payment card information, or engineering data related to the Huntress agent or telemetry we collect was affected.”

In its update, Klue said it detected unauthorized activity affecting part of Klue’s integration infrastructure on June 12, 2026, adding that attackers gained access to vulnerable legacy information related to the integration service.

“The attacker used that access to obtain OAuth tokens used to connect Klue to certain third-party platforms, including Salesforce, and subsequently accessed data between a number of connected customer sites,” said Klue CEO Jason Smith. “Based on our investigation to date, the incident was limited to affected third-party platforms, and there is no evidence that customer content stored on Klue’s platform was impacted.”

Specifically, the hack allegedly allowed a threat actor to push a code update capable of collecting OAuth tokens used by its customers to connect Klue to their systems. In response to the breach, Klue took steps to revoke affected credentials and tokens, remove unauthorized code, disable remote access, disable potentially impactful integrations, and initiate a comprehensive investigation.

As of June 16, 2026, some Huntress employees received an email with the title “top secret email” and a warning: “Your Salesforce data has been downloaded … You have 48 hours to contact us. Make the right decision.”

“The threat actor appears to have used unused but still valid evidence to create a compromise — which originally existed for Klue to create a third-party integration model that they are disposing of,” the company said. “The threat actor then accessed Klue’s infrastructure to steal the tokens used by Klue’s customers, then used those stolen credentials to query those customers’ CRM tools directly and, ultimately, exfiltrate the data.”

Not much is known about the Icarus character except that they have been active since April 28, 2026, and have claimed a total of two victims so far. That said, the data theft campaign reflects the wave of attacks set by ShinyHunters and UNC6395.

ReliaQuest, in its analysis of the Klue integration abuse, said the activity shares similarities with the third-party OAuth-abuse playbook associated with the Salesloft Drift and Gainsight compromises that targeted Salesforce environments last year.

“In the attack we observed, the adversary first authenticated with a vulnerable Klue integration service account, generated OAuth tokens, and executed automated Python scripts (pointed to by the Python-urllib user-agent strings),” said ReliaQuest researchers Thassanai McCabe and Alexa Feminella.

“These scripts first listed the organization’s object catalog with GET /services/data/v59.0/sobjects, then compiled REST API queries against the Salesforce query endpoint (/services/data/v59.0/query) and returned results with a QueryMore cursor for about 24 hours.”

These are tested as bulk data retrieval actions designed to pull large CRM records through the Salesforce REST API. This included a “focused burst” of nearly 1,000 questions in 15 minutes in at least one location and a release window that lasted more than six hours in another.

It’s unclear how many Salesforce customers were affected by the latest attack, although Klue said it was contacting affected customers directly, sharing the results of the investigation, and helping them with their response efforts.

“A common thread is the misuse of OAuth tokens or credentials from a trusted third-party vendor,” ReliaQuest said. “This integration is an impersonal identity with persistent, often extensive access to sensitive data, yet is often monitored more closely than employee accounts. That gap is why a 24-hour automated inquiry loop can be initiated from a ‘trusted’ integration account without tripping normal alarms.”