Salesforce Disables Klue Integration After OAuth Token Theft Hits Customer Data

Summary

The Icarus extortion group exploited a legacy credential in the Klue Battlecards integration to steal bulk Salesforce customer data. Salesforce disabled the integration, and Klue deactived compromised OAuth tokens, but data theft occurred over a 24-hour period. The stolen data includes commercial information like contacts and quotes, but not passwords or payment details.

Full text

Security Data BreachesSalesforce Disables Klue Integration After OAuth Token Theft Hits Customer Data Icarus extortion group used a legacy Klue Battlecards credential to bypass security and steal bulk Salesforce records from affected companies. byDeeba AhmedJune 22, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening A new supply chain attack has targeted companies using Salesforce. Attackers compromised a third-party application integration, Klue Battlecards, to access and steal customer data. Salesforce disabled the app’s integration infrastructure on 17 June 2026 to stop unauthorised access, clarifying that the issue was limited to Klue and not a vulnerability in the Salesforce platform itself. “Our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce. This issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform,” Salesforce’s alert reads. How the Breach Happened Cybersecurity firm Huntress found that the initial breach occurred on 11 June, noting that attackers entered Klue’s backend system by exploiting an old, unused testing credential that was still somehow active. Once inside, they deployed a malicious code update to harvest OAuth tokens. These tokens allow applications to share data smoothly without requiring repeated logins, and because of this, hackers easily bypassed standard authentication controls like multi-factor authentication. From there, the attack moved fast. Security firm ReliaQuest’s investigation showed that the hackers used automated Python scripts via the Salesforce REST API to fetch data in bulk over a 24-hour window. This included a heavy burst of nearly 1,000 queries in just 15 minutes and sustained data theft lasting over six hours in some networks. Klue detected this unusual activity on 12 Jun and quickly deactivated the compromised tokens. The firm prevented the damage from spreading further by turning off integrations with other major apps. This includes HubSpot, Microsoft SharePoint, Zoom, Google Drive, and Slack. However, despite these efforts, several tech and security firms confirmed their Salesforce data was copied during the window of vulnerability. Impacted companies include Huntress, Jamf, Recorded Future, Tanium, Gong, Insurity, and Sprout Social. The compromised files consist of commercial data like business contacts, price quotes, email addresses, and sales messages. It is worth noting that corporate passwords, payment details, and core software telemetry data weren’t impacted. A crucial detail from Huntress’ investigation is that a new extortion group named Icarus is behind this campaign. This group has reportedly been active since April 2026. On 16 June, Huntress received an email demanding a ransom within 48 hours to prevent the leak of the stolen files. The email contained a Session Messenger ID that matched the Icarus dark web leak site, and the group officially listed Klue as a victim on 19 June 2026. Connection to Past Salesforce Intrusions ReliaQuest researchers noted that this technique is similar to several previous integration attacks. Hackread.com has been reporting these incidents and has also observed that these followed the same pattern of stealing third-party digital keys to bypass corporate security barriers. In August 2025, a data theft campaign by threat actor UNC6395 involved using compromised Salesloft Drift tokens to export large volumes of data from over 700 Salesforce accounts while hunting for AWS and Snowflake access keys. Later, in November 2025, the ShinyHunters cybercrime group stole Gainsight access tokens to steal bulk data from customer environments. As these third-party integration attacks continue to target enterprises, with the latest victim being Klue, security teams are advised to remain cautious. To secure affected environments following this latest incident, security teams are advised to immediately revoke and reissue all passwords and OAuth grants linked to the Klue platform. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecuritydata breachKlueSalesforceSupply ChainVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Security Malware 7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike Hackers are dusting off old tricks! A recent attack exploited vulnerabilities in systems running outdates Microsoft Office to deliver Cobalt Strike malware. Learn how to protect yourself! byDeeba Ahmed Read More Security Technology Best Tools for Test Data Management to Accelerate QA Teams in 2026 Test Data Management tools for 2026 ranked for QA and DevOps teams, comparing speed, self service, masking, CI/CD fit, and enterprise readiness. byOwais Sultan Malware Security UK’s Financial Hub London Under Massive Ransomware Attacks London’s official tourism slogan is “See the world. Visit London” and looks like cyber criminals are already paying… byUzair Amir Security Cyber Crime Malware Scams and Fraud Social Media Facebook password stealer; hacking the attacker rather than victim How to hack a Facebook account is one the most searched keywords over the Internet and there are… byUzair Amir

Indicators of Compromise

• malware — Python scripts

Entities