338/69 Tuesday, June 23, 2026
A supply chain attack has been reported targeting organizations using Salesforce, in which attackers compromised the integration of a third-party application called Klue Battlecards to access and steal customer data. Salesforce disabled the application’s integration infrastructure on June 17, 2026, to stop unauthorized access. The company clarified that the incident was limited to the Klue application integration and was not caused by a vulnerability in the Salesforce platform itself.
According to Huntress, the incident began on June 11, 2026, after attackers accessed Klue’s backend system using an old testing credential that was no longer in use but remained active. The attackers then inserted malicious code to collect OAuth tokens, which are used by applications to exchange data with each other without requiring users to log in again. This allowed the attackers to bypass standard authentication measures, such as Multi-Factor Authentication. ReliaQuest later found that the attackers used an automated Python script through the Salesforce REST API to extract large amounts of data within approximately 24 hours. Nearly 1,000 data requests were observed within just 15 minutes, and continuous data theft lasted for more than six hours in some networks.
Klue detected suspicious activity on June 12 and disabled the compromised tokens. It also suspended integrations with other major applications, including HubSpot, Microsoft SharePoint, Zoom, Google Drive, and Slack, to limit the impact. However, several technology and cybersecurity companies confirmed that their Salesforce data had been copied during the incident, including Huntress, Jamf, Recorded Future, Tanium, Gong, Insurity, and Sprout Social. Most of the affected data consisted of commercial information, such as business contact lists, quotes, emails, and sales-related messages. Corporate passwords, payment information, and core software telemetry data were not affected. Huntress stated that Icarus, a new extortion group active since April 2026, may be behind the campaign. Organizations involved in the incident are advised to immediately revoke and reissue OAuth grants, as well as any passwords linked to the Klue platform.
Source: https://hackread.com/salesforce-disables-klue-integration-oauth-token-data/