Salesforce recently announced the suspension of its integration with the Klue Battlecards app due to a security breach that affected the competitive intelligence firm on June 11, 2026. This move will prevent organizations from using the app to connect with Salesforce until further notice, as stated in a company alert.
Security Breach Details
The decision stems from Salesforce’s detection of unusual activity involving Klue’s app, which potentially led to unauthorized access to certain customer data through the app’s connection to Salesforce. Importantly, the issue is isolated to Klue’s app and does not originate from any vulnerability within Salesforce’s own system.
The breach involved a group known as Icarus, which accessed and extracted data from Klue customers, including Huntress, a cybersecurity firm. Huntress reported that the compromised data involved business contacts and sales-related information, but no sensitive data such as passwords or payment information were affected.
Klue’s Response and Investigation
Klue acknowledged unauthorized activities impacting part of its integration infrastructure on June 12, 2026. The attackers exploited a legacy credential tied to their integration service to gain entry. This access allowed them to acquire OAuth tokens used to link Klue with several third-party platforms, including Salesforce.
In response, Klue revoked compromised credentials and tokens, eliminated unauthorized code, halted remote access, and disabled potentially affected integrations. A comprehensive investigation has been launched to assess the full scope of the incident.
Analysis and Industry Impact
Some Huntress employees received threatening emails indicating that their Salesforce data had been downloaded, with demands for communication within 48 hours. The attackers utilized an outdated credential initially created by Klue for a third-party integration prototype, to infiltrate Klue’s infrastructure and steal customer tokens.
Security firm ReliaQuest observed similar tactics in the abuse of OAuth tokens, akin to previous incidents involving Salesloft Drift and Gainsight. The attackers authenticated via a compromised Klue service account, generated OAuth tokens, and executed automated scripts to extract large volumes of CRM data via Salesforce’s REST API.
Klue is in direct communication with affected customers, sharing investigative insights and assisting with response efforts. The incident highlights the vulnerabilities associated with OAuth tokens granted to third-party vendors, which often have extensive access to sensitive data yet are less frequently monitored than employee accounts.
The Icarus group’s activities reflect patterns seen in previous data theft campaigns, drawing parallels with incidents orchestrated by ShinyHunters and UNC6395. As the situation unfolds, organizations are urged to review their third-party integrations and enhance monitoring of non-human identities to mitigate similar risks in the future.
