Salesforce Disables Klue Integration Following Security Incident
Salesforce has temporarily halted the integration of the Klue Battlecards app within its platform due to a security incident affecting Klue on June 11, 2026. This decision restricts organizations from connecting to Salesforce via the app until further notice, as detailed in an alert issued by the American cloud software giant.
The issue originated from unusual activity detected by Salesforce’s security teams, raising concerns about potential unauthorized access to certain customer data linked to the Klue app. Salesforce clarified that the vulnerability stems from the app’s connection rather than any flaws in its own platform.
The breach is part of a broader incident involving an extortion group known as Icarus, which reportedly compromised Klue’s systems and exfiltrated sensitive data from its clients, including cybersecurity firm Huntress. According to Huntress, the stolen data encompasses business contacts, price quotes, and various sales-related communications. Importantly, the compromised information did not include sensitive data such as threat intelligence, passwords, or payment details.
Following the breach, Klue reported that unauthorized access occurred through a compromised legacy credential tied to an integration service. The attackers exploited this access to obtain OAuth tokens, allowing them to connect Klue with third-party platforms like Salesforce and access data within numerous customer environments.
The intrusion reportedly enabled the threat actor to introduce a code update designed to gather OAuth tokens from Klue’s customers. In response to the situation, Klue implemented several measures, including revoking affected credentials, removing unauthorized code, and launching a thorough investigation into the incident.
As of June 16, 2026, some employees from Huntress received emails threatening exposure of their Salesforce data, demanding immediate communication with the attackers. The email suggested that the security breach was executed using an outdated but still operational credential initially created by Klue for a discontinued third-party integration, allowing attackers to pivot into Klue’s infrastructure and steal customer tokens.
The Icarus group—known to have been active since April 28, 2026—has claimed two previous victims unrelated to Salesforce. Their tactics bear similarities to earlier attacks carried out by groups such as ShinyHunters and related campaigns against Salesforce environments.
According to security analysis by ReliaQuest, the operational approaches observed in this breach reflect a pattern of OAuth-abuse tactics, common in third-party integrations. These include authenticating via compromised service accounts, generating OAuth tokens, and executing automated scripts to extract large volumes of sensitive data from Salesforce’s APIs over extended periods.
Klue has since communicated directly with affected clients, sharing investigative insights and assisting in their response efforts. The extent of the attack’s impact on Salesforce customers remains unclear, although it is acknowledged that multiple firms, including Jamf and Recorded Future, have confirmed their data was affected, albeit limited to specific business information.
From a cybersecurity perspective, the incident illustrates potential lapses in monitoring OAuth tokens and credentials from trusted vendors, highlighting ongoing vulnerabilities in supply chain security within SaaS applications. Such breaches underscore the shift in threat actor focus from individual organizations to the integration vendors that facilitate access to numerous enterprise environments.
The MITRE ATT&CK framework can help elucidate the tactics likely employed in this attack, encompassing initial access through credential misuse, persistence via OAuth token exploitation, and execution of automated queries that enable large-scale data extraction without detection. As impacted organizations strategize their response to this breach, vigilance against phishing campaigns utilizing compromised Salesforce-specific data will be paramount in mitigating further risks.