Salesforce Disables Klue Integration Over OAuth Token Theft Risk to Customer Data

Post Views: 7

A supply chain attack targeting organizations utilizing Salesforce has led to the suspension of the Klue Battlecards application integration.

Salesforce Disables Klue Integration Following OAuth Token Compromise

Salesforce confirmed the issue was confined to the Klue application and not indicative of a vulnerability within the Salesforce platform itself. “Our security teams identified anomalous activity involving the app that may have resulted in unauthorized access to a subset of customer data through its connection to Salesforce. This incident is restricted to Klue’s app integration and does not stem from a flaw in the Salesforce platform,” the statement emphasized.

“Our security teams identified anomalous activity involving the app that may have resulted in unauthorized access to a subset of customer data through its connection to Salesforce. This incident is restricted to Klue’s app integration and does not stem from a flaw in the Salesforce platform,” the statement emphasized.

Attack Methodology

Cybersecurity firm Huntress reported the initial breach occurred on 11 June

Attackers gained entry to Klue’s backend system via an outdated, unused testing credential that remained active. Once inside, they deployed malicious code to harvest OAuth tokens, which facilitate seamless data sharing between applications without requiring repeated authentication. These tokens enabled the attackers to bypass standard security measures such as multi-factor authentication.

Data Exfiltration via Salesforce REST API

ReliaQuest’s analysis revealed threat actors utilized automated Python scripts through the Salesforce REST API to extract data in bulk over a 24-hour period. This included a surge of nearly 1,000 queries within 15 minutes and sustained data exfiltration lasting over six hours in certain networks.

Affected Entities and Stolen Data

Klue detected the suspicious activity on 12 June and promptly invalidated the compromised tokens. Despite these actions, multiple cybersecurity firms confirmed their Salesforce data was copied during the vulnerability window. Affected entities include Huntress, Jamf, Recorded Future, Tanium, Gong, Insurity, and Sprout Social. The stolen files encompass commercial data such as business contacts, pricing details, addresses, and sales communications. Notably, corporate passwords, financial information, and critical software telemetry data remained unaffected.

Historical Context

ReliaQuest researchers highlighted that this attack methodology mirrors prior integration-based breaches. Previous incidents, such as the August 2025 campaign by threat actor UNC6395, involved compromised Salesloft Drift tokens to extract data from over 700 Salesforce accounts while searching for AWS and Snowflake access keys. Similarly, in November 2025, the ShinyHunters group exploited Gainsight access tokens to steal bulk data from customer environments.

Post-Incident Mitigation Measures

Security teams are urged to remain vigilant. Post-incident mitigation measures include revoking and reissuing all passwords and OAuth grants associated with the Klue platform to secure affected systems.