Klue integration breach leads to Salesforce CRM data theft via OAuth token abuse

Severity
Medium 

Detail

A security incident originating from the market intelligence platform Klue led to unauthorized access and theft of customer CRM data from multiple organizations, including cybersecurity vendor Huntress. The breach began when attackers accessed Klue’s backend using a long-dormant API credential tied to an abandoned integration. They deployed malicious code to steal OAuth tokens used by customers to connect Klue with third-party services such as Salesforce, HubSpot, Slack, and others.

Stolen OAuth tokens were then used to directly query Salesforce environments and exfiltrate CRM data such as business contacts, pricing information, and deal records. The attackers reportedly used automated scripts and REST API queries to extract data in both slow, stealthy patterns and rapid bulk bursts. The threat group “Icarus” later issued extortion emails claiming data theft and demanding contact within 48 hours. Salesforce subsequently disabled the Klue Battlecards app integration pending investigation.

How?

The attackers gained initial access through a compromised, unused API credential in Klue’s environment. They leveraged this access to deploy malicious code that intercepted OAuth tokens belonging to connected customer integrations. Using these valid tokens, they authenticated into downstream SaaS platforms primarily Salesforce and operated as trusted third-party integrations rather than direct intruders. This allowed them to query Salesforce REST APIs using automated Python-based scripts, blending in with normal integration traffic. They systematically enumerated and extracted CRM objects through sustained API calls and pagination, followed by bursts of high-volume queries in some environments to accelerate data exfiltration. Since the access was based on legitimate OAuth grants, the activity was difficult to detect using traditional user-based security controls.

Recommendation

Organizations should immediately revoke and rotate all OAuth tokens, API keys, service account credentials, and connected app authorizations tied to third-party integrations, ensuring that refresh tokens are also invalidated to fully terminate persistent access. Salesforce and other SaaS API logs should be reviewed for unusual query patterns, excessive pagination activity, unfamiliar user agents such as Python-urllib, and access originating from unexpected IP ranges or data centers.

Security teams should restrict or disable unused integrations and enforce strict least-privilege permissions for all connected applications to minimize exposed data scope. IP allowlisting should be implemented wherever possible to limit API access to approved infrastructure only. Continuous monitoring for abnormal OAuth token refresh activity and long-lived session usage is also critical, as these are key indicators of integration abuse. Finally, organizations should treat third-party SaaS integrations as high-risk non-human identities and apply the same level of monitoring, validation, and anomaly detection as privileged human accounts.

Source

https://cybersecuritynews.com/klue-integration-breached-salesforce/
https://www.helpnetsecurity.com/2026/06/19/klue-salesforce-data-breach-huntress