"Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app's connection to Salesforce," the company said.
Salesforce disables Klue Battlecards integration, limits customer connections
On June 11, 2026, Salesforce disabled the Klue Battlecards app integration across its platform and told customers they would be unable to connect to Salesforce via the app until further notice. Salesforce made clear its decision followed detection of "unusual activity" tied to the Klue connection and said the issue was limited to Klue's app connection — "and does not arise from a vulnerability within the Salesforce platform."
Klue says attackers stole OAuth tokens using a compromised legacy credential
Klue reported it detected unauthorized activity in a portion of its integration infrastructure on June 12, 2026. CEO Jason Smith said the initial access came through a "compromised legacy credential associated with an integration service." Smith added, "The attacker used that access to obtain OAuth tokens used to connect Klue with certain third‑party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments."
Klue said the incident allowed the attacker to push a code update capable of collecting OAuth tokens, and that the company has revoked affected credentials and tokens, removed unauthorized code, stopped remote access, disabled potentially impacted integrations, and launched a comprehensive investigation. Klue also stated there is "no evidence that customer content stored within the Klue platform was impacted" and characterized the impact as limited to the affected third‑party platforms.
Icarus extortion group and Huntress disclosure
An extortion group that calls itself Icarus claimed responsibility for compromising and exfiltrating data from Klue customers, including the cybersecurity company Huntress. Huntress said: "The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales‑related data and messaging." Huntress added that "No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected."
As of June 16, 2026, some Huntress employees received an email with the subject line "top secret email" and text warning: "Your Salesforce data has been downloaded ... You have 48 hours to communicate with us. Do the right decision." The source material notes that not much is known about Icarus beyond that it has been active since April 28, 2026 and has claimed a total of two victims to date.
ReliaQuest analysis: the mechanics of the OAuth‑abuse campaign
ReliaQuest researchers Thassanai McCabe and Alexa Feminella said the activity mirrors a third‑party OAuth‑abuse playbook used in prior compromises and observed an attack pattern that began with authentication through a compromised Klue integration service account and the generation of OAuth tokens.
The researchers reported the adversary used automated Python scripts identified by Python‑urllib user‑agent strings. These scripts first enumerated the organization's object catalog via GET /services/data/v59.0/sobjects, then looped REST API queries against the Salesforce query endpoint (/services/data/v59.0/query) and paginated results with the QueryMore cursor for nearly 24 hours in observed activity. They described the actions as bulk data retrieval: a "concentrated burst" of nearly a thousand queries in 15 minutes against at least one environment and an extraction window that lasted more than six hours in another case.
ReliaQuest linked the campaign to a common weakness: integrations run as non‑human identities with persistent, often broad access to sensitive data but typically monitored far less closely than employee accounts. "That gap is why a 24‑hour automated query loop could run from a 'trusted' integration account without tripping the usual alarms," the researchers said.
What this means for Klue customers, security teams, and procurement leaders
- Klue customers: Klue says it is communicating directly with impacted customers, sharing investigative findings, and assisting response efforts, and Salesforce has blocked new connections via the app until further notice.
- Security teams and technologists: The observed pattern emphasizes OAuth token theft via third‑party integrations, automated query loops against Salesforce REST APIs, and long extraction windows. ReliaQuest's findings highlight monitoring gaps for non‑human integration identities.
- Procurement and vendor managers: The incident underscores that a "long‑disused but still active credential" created for prototyping can become an initial compromise path, according to Klue's account of the pivot into its infrastructure.
It remains unclear how many Salesforce customers were affected overall. Klue has said it is assisting impacted customers and revoked the credentials and tokens it identified; Salesforce has limited the immediate risk surface by disabling the Klue integration. The facts that a legacy credential was used for initial access, that OAuth tokens were harvested, and that automated, high‑volume queries were used to pull data together, are concrete elements of an incident that underscores persistent risk tied to third‑party integrations.
