Salesforce disabled the Klue Battlecards app integration after the 'Icarus' extortion group claims it exploited OAuth token abuse to exfiltrate customer data from connected Salesforce instances, starting on June 11, 2026. This incident highlights a persistent vulnerability: dormant, but still active, third-party integration credentials serving as initial access vectors for supply chain compromises. Cybersecurity firms Huntress and Recorded Future have confirmed they are among the victims, with Huntress describing it as a "security domino effect." The attack claims to have specifically targeted business-related data, like contacts and sales quotes, rather than core security or payment information, echoing previous OAuth-based data exfiltrations.
What Happened
The attack on Klue's backend infrastructure began on June 11, 2026, initiated by the 'Icarus' extortion group, as reported by Huntress. Initial access was gained through a long-disused but still active credential that Klue had created for an abandoned third-party integration prototype, according to BleepingComputer. Once inside Klue's backend, attackers pushed a malicious code update designed to collect OAuth tokens belonging to Klue customers, Recorded Future states. These stolen tokens, which authorized Klue to connect to various systems like Salesforce, HubSpot, and Slack, became the pivot point.
Attackers then used the compromised OAuth tokens to authenticate against the Salesforce REST API as a trusted third-party application, effectively bypassing direct Salesforce tenant credential compromise, The Hacker News reported. ReliaQuest researchers observed the threat actors generating and using automated Python scripts to query Salesforce's REST API for approximately 24 hours. This activity included a concentrated burst of nearly a thousand queries in 15 minutes and sustained data exfiltration for over six hours, as SecurityWeek noted. Klue became aware of the malicious activity on June 12, rapidly deactivating all customer OAuth credentials and temporarily disabling integrations with multiple platforms. Salesforce officially disabled the Klue Battlecards integration on June 17, 2026, BleepingComputer confirmed.
Why It Matters
This incident is a textbook example of a supply chain compromise that used a common trust relationship—OAuth—to pivot from a third-party vendor into customer environments. Huntress aptly called it a "security domino effect." The crucial factor here isn't a vulnerability in Salesforce itself, but rather the exploitation of an OAuth grant, essentially a key left under the doormat for a service that's no longer even coming by.
The 'Icarus' group, active since April 2026, claims to have used this access for an extortion campaign against affected organizations, BleepingComputer reports. While Huntress reported no threat data, passwords, payment card information, or engineering data was compromised, and Recorded Future noted the impact was limited to business data fields, the exfiltrated "business contacts, price quotes, and other sales-related data and messaging" (Huntress) or "client contact names and email addresses" (Recorded Future) still represents sensitive organizational intelligence. This data is valuable for follow-on phishing, social engineering, and competitive intelligence operations. Even seemingly "non-critical" business data can become a high-value target for sophisticated threat actors.
Affected Scope & Remediation
This incident does not involve a software vulnerability in Salesforce or Klue in the traditional sense, so no CVE has been assigned. Instead, the attack vector is classified as OAuth grant abuse. There is not a patch to install; the remediation is procedural and architectural. Affected scope is any Salesforce customer who had the Klue Battlecards integration active, especially those whose OAuth tokens were compromised before Klue's rapid deactivation. While the exact number of affected organizations is unclear, the fact that organizations like Huntress and Recorded Future are impacted suggests a potentially broad reach, The Hacker News reported.
Audit all third-party integrations, particularly those connecting to critical SaaS platforms like Salesforce. Review the lifecycle management of all OAuth grants and API keys: if an integration is disused or abandoned, revoke and delete its credentials. This is a call to action for every organization relying on a complex web of SaaS integrations. Implement API monitoring to detect unusual query patterns, high-volume data exfiltration, or access from unexpected IPs. Tools like CrowdStrike Falcon or SentinelOne provide advanced endpoint detection and response (EDR) capabilities that extend to cloud API monitoring, helping to flag anomalous activity like the nearly thousand queries in 15 minutes observed by ReliaQuest and SecurityWeek.
| Metric | Value | Source |
|---|---|---|
| Attack Start Date | June 11, 2026 | Huntress |
| Klue Awareness | 1 day (after attack start) | BleepingComputer |
| Salesforce Disablement | 6 days (after attack start) | BleepingComputer |
| Icarus Group Activity | 2 months (since April 2026) | BleepingComputer |
| API Query Burst | ~1,000 queries in 15 minutes | SecurityWeek |
| Data Exfiltration Duration | >6 hours | SecurityWeek |
| Attack Type | OAuth Grant Abuse | BleepingComputer |
| Primary Data Type Exfiltrated | Business Contacts, Sales Data | Huntress |
Technical Breakdown
The 'Icarus' group's attack on Klue's integration with Salesforce followed a clear, multi-stage pattern. First, they gained initial access to Klue's backend infrastructure using a long-forgotten, but still active, credential tied to an abandoned prototype integration, BleepingComputer reported. This highlights the critical importance of credential lifecycle management, directly addressing NIST SP 800-53 control IA-5 Authenticator Management, which mandates practices for managing authenticators from issuance through revocation. Attackers then pushed a malicious code update to Klue's systems. This update's purpose was to harvest active OAuth tokens that Klue customers used to connect their Salesforce instances, and other platforms, to the Klue Battlecards app, Recorded Future stated.
Think of an OAuth token like a trusted valet key for your car. You give the valet (Klue app) a specific key (OAuth token) that lets them park your car (access your Salesforce instance) without giving them your main ignition key (your Salesforce login credentials). If that valet key is lost, stolen, or never returned after the valet service is no longer needed, anyone can use it to access your car. In this case, the attackers effectively stole the valet keys and used them to drive off with your data.
With the stolen OAuth tokens, the group authenticated directly to the Salesforce REST API. They used the /services/data/v59.0/sobjects endpoint for reconnaissance, essentially listing available data objects within the Salesforce instance, SecurityWeek noted. This allowed them to map the victim's Salesforce environment. Following reconnaissance, data exfiltration occurred via the /services/data/v59.0/query endpoint, where specific queries were executed to pull out business contacts, sales data, and other targeted information, SecurityWeek reported. This attack maps to several MITRE ATT&CK techniques:
- T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain): By compromising Klue's backend and pushing malicious code.
- T1550.001 (Use Alternate Authentication Material: Application Access Token): The use of stolen OAuth tokens to bypass direct credential compromise.
- T1078.004 (Valid Accounts: Cloud Accounts): Leveraging the legitimate access granted by the OAuth tokens.
- T1530 (Data from Cloud Storage): Exfiltrating data directly from Salesforce instances via its API.
Historical Context
This Klue incident isn't an isolated case; it's a recurring pattern in the Salesforce ecosystem. In August 2025, the UNC6395 group conducted a similar campaign, stealing OAuth refresh tokens from Salesloft Drift integration users, ReliaQuest reported. Like the Klue attack, UNC6395 also used a third-party application's compromised access to Salesforce data. The key similarity is the exploitation of trust relationships via OAuth, where a credential for one service becomes a pivot to another, more critical system.
However, there were differences. While the Klue incident's initial access was a disused credential within the third-party vendor's backend, UNC6395's initial compromise vector for the Salesloft Drift integration hasn't been explicitly detailed as such. Another related event occurred in June 2025, where the ShinyHunters group used voice phishing to trick users into authorizing malicious apps for Salesforce data exfiltration, ReliaQuest reported. That incident differed by targeting end-users directly through social engineering, rather than compromising a vendor's backend, but the end goal—OAuth token abuse for Salesforce data exfiltration—remains constant across these attacks. These incidents collectively underscore that the reliance on third-party integrations, if not rigorously managed, presents a significant and persistent supply chain risk.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Attack Start Date | June 11, 2026 | Huntress |
| Klue Awareness Time | 1 day | BleepingComputer |
| Salesforce Disablement Time | 6 days | BleepingComputer |
| Icarus Group Activity Period | 2 months (since April 2026) | BleepingComputer |
| Max API Queries in 15 Min | ~1,000 queries | SecurityWeek |
| Sustained Exfiltration Duration | >6 hours | SecurityWeek |
| Attack Vector | OAuth Grant Abuse | BleepingComputer |
| Data Type Compromised | Business Contacts, Sales Quotes | Huntress |
The CVEDaily Take
This incident demonstrates how quickly an overlooked credential can become a critical pivot point in a supply chain attack. While Klue and Salesforce took swift action to contain the breach, the root cause—a long-forgotten, active credential—is an all-too-common organizational weakness. We believe the impact on Salesforce customers could be broader than publicly acknowledged, given the typical reach of such applications and the time it took to fully disable the integration. The real lesson here is that an inventory of current SaaS integrations isn't enough; organizations must aggressively audit and revoke access for all past integrations, even those marked as "abandoned."
When was the last time your team audited all third-party OAuth grants to your critical SaaS platforms, especially for integrations marked as 'disused'?
FAQ
Q: Was Salesforce itself vulnerable to this attack?
A: No, Salesforce itself was not vulnerable. The attack leveraged an OAuth token obtained through the compromise of Klue's backend infrastructure, allowing the threat actors to access Salesforce instances via its legitimate REST API as a trusted third-party application, BleepingComputer reported.
Q: What kind of data was exfiltrated in the Klue incident?
A: The exfiltrated data primarily consisted of business-related information, including business contacts, price quotes, sales-related data and messaging, client contact names, and email addresses. Huntress and Recorded Future confirmed that no threat data, passwords, payment card information, or engineering data was compromised.
Q: What steps did Klue and Salesforce take in response?
A: Klue became aware of the activity on June 12, 2026, and rapidly deactivated all customer OAuth credentials, temporarily disabling integrations with Salesforce and several other platforms like HubSpot, Zoom, and Slack. Salesforce officially disabled the Klue Battlecards integration on June 17, 2026, completely severing the connection, BleepingComputer confirmed.
