Hackers Breach Klue Integration to Steal Salesforce CRM Data: What Happened and How to Stay Protected (2026 Incident Analysis)

Summarize this blog post with: ChatGPT | Perplexity | Claude | Grok

If you run a modern sales or revenue team, you've probably connected dozens of SaaS apps to your Salesforce CRM without a second thought. What most teams overlook is that each of those integrations holds a standing key to your most sensitive customer data. In this guide, you'll learn exactly how attackers breached the Klue integration to steal Salesforce CRM data, which indicators of compromise to hunt for, and the precise steps to protect your own connected apps.

## Key Takeaways

▸ The Klue breach is a third-party SaaS supply-chain attack in which stolen OAuth tokens were used to access and exfiltrate Salesforce CRM data from multiple enterprises.

▸ A threat actor named "Icarus" exploited a dormant-but-active legacy credential to pivot into Klue's backend and harvest customer OAuth tokens.

▸ No Salesforce platform vulnerability was involved — the abuse occurred through the trusted Klue Battlecards app connection.

▸ Stolen data included business contacts, price quotes, sales communications, and competitive intelligence, but not passwords or payment card data.

▸ OAuth tokens are non-human identities with persistent, broad access that most teams monitor far less closely than employee accounts.

▸ Immediate protection requires revoking and rotating OAuth tokens, terminating sessions, and reviewing Salesforce API logs for anomalies.

▸ Least privilege and continuous monitoring of every integration are the most reliable defenses against repeat SaaS supply-chain attacks.

## What Is the Klue Salesforce Breach?

The Klue Salesforce breach is a third-party integration compromise in which attackers stole OAuth tokens from market-intelligence platform Klue and used them to exfiltrate Salesforce CRM data from its customers. Salesforce confirmed the incident and disabled the Klue Battlecards app connection while the investigation continued.

To be precise, this was not a flaw in Salesforce itself. Salesforce stated the issue was limited to the Klue app's connection and did not stem from a vulnerability in its platform. For example, the attackers never broke Salesforce's authentication — they reused legitimate access that Klue's integration already held. An OAuth token is a digital credential that grants an application persistent access to another system without repeatedly entering a password.

The campaign is being run by a relatively new extortion group. The threat actor "Icarus" has been active since April 28, 2026 and had claimed only two victims at the time of disclosure — Source: The Hacker News, 2026. To frame this kind of exposure across your own connected systems, review our cybersecurity risk assessment framework before assuming your SaaS stack is safe.

A Quick Timeline of the Klue Incident

The Klue incident unfolded over a few days in mid-June 2026. Salesforce detected unusual activity around June 11, 2026, and Klue reported identifying unauthorized activity in its integration infrastructure on June 12, 2026.

Soon after, Salesforce disabled the Klue Battlecards integration, and cybersecurity vendors ReliaQuest and Huntress published findings confirming the attack. Importantly, Huntress publicly disclosed that its own Salesforce data was stolen, demonstrating transparency that helped the wider community respond faster.

## Why Does the Klue Integration Breach Matter?

The Klue integration breach matters because it shows how a single trusted third-party app can expose the CRM data of many organizations at once. When you authorize an integration, you hand it a standing key to your customer records — and that key rarely gets the scrutiny a human login receives.

First, consider the blast radius. A connected app like Klue holds OAuth tokens for many customers, so one compromised vendor can cascade into dozens of downstream Salesforce environments. For example, the confirmed victims already include cybersecurity firms Huntress and Recorded Future — Source: SecurityWeek, 2026.

Second, there is the monitoring gap. A non-human identity is a machine credential, such as an OAuth token or service account, used by software to access systems automatically. Because these identities run quietly in the background, a 24-hour automated query loop from a "trusted" integration can run without tripping the usual alarms. To understand why this attack surface keeps growing, see our explainer on cloud security misconfigurations.

## How Did Hackers Breach the Klue Integration to Steal Salesforce Data?

Hackers breached the Klue integration by exploiting a dormant legacy credential, pivoting into Klue's backend, and pushing malicious code that harvested customer OAuth tokens used to connect to Salesforce. No customer password was ever phished — the attackers simply reused valid machine credentials.

Step 1: Initial Access via a Forgotten Credential

The attackers gained their foothold through a long-disused but still-active credential that Klue had created for a prototype integration it later abandoned. This forgotten key was never revoked, which is a textbook example of credential sprawl.

As such, the entry point had nothing to do with a zero-day exploit. The lesson is blunt: every credential you stop using but never delete is a door left unlocked. To map exposures like this across your perimeter, follow our guide on attack surface management.

Step 2: Token Harvesting Inside Klue

Once inside Klue's environment, the attackers pushed a malicious code update designed to collect the OAuth tokens that customers use to link Klue to third-party platforms. This turned a trusted vendor's own software into a token-stealing machine.

For example, those harvested tokens covered connections to Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. This kind of poisoned-update tactic mirrors the broader rise in software supply-chain threats covered in our npm supply chain attack analysis.

Step 3: Automated Exfiltration of CRM Data

With valid tokens in hand, the attackers authenticated through a compromised Klue integration service account and ran automated Python scripts against the Salesforce REST API. ReliaQuest identified the traffic by its Python-urllib user-agent strings.

The scripts first enumerated each org's object catalog, then looped queries against the Salesforce query endpoint for nearly 24 hours. In at least one environment, the attackers fired close to 1,000 queries in a single 15-minute burst, while another exfiltration ran for more than six hours — Source: ReliaQuest, 2026. Bulk API querying from a trusted integration is one of the hardest data-theft patterns to detect because it looks like normal automation.

## What Data Was Stolen and Who Was Affected?

The stolen data was Salesforce CRM information, including business contacts, sales communications, price quotes, competitive intelligence reports, and account records. The breach was scoped to connected SaaS data rather than Klue's own stored content.

Notably, the damage had clear limits. Huntress reported no evidence that threat intelligence, customer telemetry, passwords, payment card data, or engineering systems were compromised. For example, the attackers focused on extracting commercially sensitive sales records they could leverage for extortion, not technical secrets.

The victim list skews toward technology and security firms. Klue's Battlecards is reportedly the third integrated app abused in this wave of Salesforce data theft, following the Salesloft Drift and Gainsight compromises — Source: Dark Reading, 2026. The Icarus group then began emailing extortion demands, giving victims a 48-hour deadline to respond — a pressure tactic detailed further in our coverage of modern phishing and social-engineering attacks.

## What Are the Indicators of Compromise (IOCs) for the Klue Breach?

The key indicators of compromise for the Klue breach are specific attacker IP addresses, Python-based API user-agents, and anomalous bulk queries against Salesforce REST endpoints. Indicators of compromise are forensic artifacts, log entries, or behavioral anomalies that suggest a system may have been breached.

Security teams should hunt for the following signals:

• ▸Attacker IP addresses reported by ReliaQuest and Huntress: 138.226.246.94, 212.86.125.24, 213.111.148.90, and 94.154.32.160.
• ▸Python-urllib user-agent strings in Salesforce API logs, which indicate scripted access rather than human use.
• ▸Object enumeration via GET /services/data/v59.0/sobjects, often the first reconnaissance step.
• ▸High-volume query loops against /services/data/v59.0/query, including paginated QueryMore cursors.
• ▸OAuth token activity from the Klue Battlecards integration outside normal sync windows.

For example, hundreds of API queries in minutes from an unfamiliar IP is a strong exfiltration signal. To build a repeatable detection workflow around these artifacts, follow our guide on how to identify indicators of compromise, and check the reputation of any suspicious source IP using our IP reputation check guide.

## How Can Organizations Stay Protected After the Klue Breach?

Organizations protect themselves by revoking and rotating OAuth tokens, terminating active sessions, auditing connected apps, and monitoring Salesforce API logs for anomalies — in that order of urgency. Speed matters because stolen tokens grant immediate access.

Step 1: Revoke and Rotate OAuth Tokens

Immediately revoke the Klue Battlecards connection and rotate every OAuth token tied to affected integrations. Token rotation is the practice of regularly revoking and reissuing access tokens to limit the damage from credential theft. In addition, terminate all active sessions so a stolen token cannot be reused mid-flight.

Step 2: Audit Every Connected App and Apply Least Privilege

Review every third-party app authorized in your Salesforce org and remove any you no longer use. Least privilege means granting an integration only the minimum data access it needs to function. For example, a competitive-intelligence tool rarely needs read access to your entire customer database — scope it down.

Step 3: Monitor API Activity and Logs

Continuously monitor Salesforce event logs for unusual API volumes, unfamiliar IPs, and scripted user-agents. Set alerts for bulk query bursts like the ones seen in this campaign. For a structured approach to assessing exposed assets, use our walkthrough on how to scan your environment for vulnerabilities.

Step 4: Build an Incident Response Playbook

Treat connected SaaS apps as in-scope for your incident response plan, not an afterthought. By rehearsing token revocation and log review in advance, you can shrink your response time from days to minutes. Our cyber operational resilience playbook outlines how to structure that readiness.

## What Security Lessons Does the Klue Breach Teach About OAuth and SaaS Supply Chains?

The core lesson of the Klue breach is that non-human identities — OAuth tokens and service accounts — need the same governance, rotation, and monitoring as human accounts. These machine credentials are now a primary target, not an afterthought.

First, dormant credentials are dangerous. The entire attack began with a forgotten prototype key that should have been deleted long ago. Second, trust is transitive: when you connect a vendor, you inherit their security posture. Third, monitoring must extend to API behavior, because a "trusted" integration making bulk queries is exactly how this data left the building. The common thread across recent Salesforce attacks is the abuse of OAuth tokens from a trusted third-party vendor.

## How Does the Klue Breach Compare to Other Salesforce Data Theft Attacks?

The Klue breach closely resembles the OAuth-abuse playbook seen in the Salesloft Drift and Gainsight compromises, where attackers exploited trusted integrations rather than Salesforce itself. Comparing them clarifies the pattern.

• ▸Salesloft Drift and Gainsight: earlier 2026 campaigns that abused third-party OAuth connections to reach Salesforce data, just like Klue.
• ▸ShinyHunters and UNC6395: established extortion crews whose tactics the Klue attack mirrors, though investigators attributed Klue to the newer Icarus group.
• ▸The Klue case: notable because the initial access came from a forgotten prototype credential, underscoring the risk of credential sprawl.

The shared theme is unmistakable: attackers increasingly target the trusted connective tissue between SaaS platforms. For a parallel example of attackers exploiting trusted software updates, review our open-source ecosystem supply-chain breach analysis.

## Which Tools Help You Detect and Investigate OAuth Integration Abuse?

The most effective investigation combines SaaS audit logs, IP reputation checks, external exposure scanners, and threat intelligence feeds. Using both vendor and independent sources prevents blind spots.

To begin, validate the reported attacker IPs and any unfamiliar source addresses with the ReconShield IP lookup tool to check ASN reputation and geolocation. Next, map what your own domains expose to the internet with our DNS lookup and subdomain finder, and flag risky configurations with the vulnerability scanner.

[Insert image: ReconShield IP lookup results showing reputation and ASN data for a flagged attacker IP | Alt text: "Check attacker IP reputation with ReconShield IP lookup tool"]

For fairness and breadth, also use free and vendor resources. Salesforce's built-in Event Monitoring and Connected App audit screens reveal token activity, while CISA advisories and your vendor's incident updates provide authoritative context. A practical, no-cost starter kit is collected in our roundup of free cybersecurity tools.

## What's Next for Defenders After the Klue Breach?

The next priority for defenders is to inventory and govern every OAuth connection, then monitor those non-human identities as closely as user accounts. A one-time cleanup will not stop the next supply-chain attack.

First, build a living inventory of every connected app and the data scope it holds. Second, schedule recurring token rotation and remove dormant integrations on a fixed cadence. Third, alert on behavioral anomalies such as bulk API pulls and unfamiliar user-agents. By treating integrations as privileged identities, you can turn the Klue breach into the catalyst for a stronger SaaS security program.

## Conclusion

The Klue breach is a clear warning that your CRM is only as secure as the third-party apps you connect to it. Attackers did not break Salesforce — they walked in through a trusted, forgotten integration and quietly pulled out sensitive sales data at scale.

The path forward is well understood: revoke and rotate OAuth tokens, audit every connected app, apply least privilege, and monitor API activity continuously. Treat your integrations as high-value identities that demand the same scrutiny as any admin account, and keep learning from the latest cybersecurity breach analysis so the next supply-chain attack finds your environment ready.

Written by Surendra Reddy, Cybersecurity Researcher & Founder, ReconShield — an information security engineer specializing in OSINT, exposure intelligence, AI-driven threat analysis, and attack surface management.

Reviewed by a Senior Security Researcher on the ReconShield Editorial Board, with expertise in SaaS security, identity threats, and third-party risk analysis.