CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

Attackers Steal Salesforce Data From Klue Battlecards Users

Data Breach Today Archived Jun 18, 2026 ✓ Full text saved

CRM Data Theft Tied to OAuth Tokens Stolen From Third-Party Market Intelligence App Salesforce disabled connections to its customer relationship management environment from third-party app Klue Battlecards as a response to a "security incident." Attackers breached Klue's platform, generated OAuth tokens for Salesforce and stole data, now being held to ransom.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Identity & Access Management , Incident & Breach Response , Security Operations Attackers Steal Salesforce Data From Klue Battlecards Users CRM Data Theft Tied to OAuth Tokens Stolen From Third-Party Market Intelligence App Mathew J. Schwartz (euroinfosec) • June 18, 2026     Credit Eligible Get Permission Image: Shutterstock/Klue/ISMG Salesforce disabled connections to its customer relationship management environment from third-party app Klue Battlecards as a response to a "security incident." See Also: How Organizations Are Strengthening Defenses Against Scattered Spider "Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app's connection to Salesforce," says a security alert posted by the San Francisco CRM giant Wednesday. Vancouver, British Columbia-based Klue offers an "artificial intelligence-powered competitive intelligence platform" designed to help customers run win-loss programs, referring to an analytical process that uses buyer interviews and surveys to analyze an organization's ability to close deals, together with generating summaries known as "battlecards." All connections to Salesforce from the Klue app, which individual users can choose to install, have been suspended. "This issue is limited to Klue's app connection and does not arise from a vulnerability within the Salesforce platform," the CRM provider said. The attack appeared to begin last week, and involved legitimate OAuth tokens for Klue customers being used to access and steal data from their Salesforce CRM instances and potentially other connected services, said cybersecurity firm ReliaQuest in a Wednesday report. "In the attacks we observed, the adversary first authenticated through a compromised Klue integration service account, generated OAuth tokens and ran automated Python scripts" that used REST API queries against the Salesforce environment, for nearly 24 hours, ReliaQuest said, adding that it privately shared its findings directly with Klue on Monday. "The volume and pacing point to bulk data retrieval, not routine integration traffic - a legitimate integration's own credentials were used to quietly siphon CRM records at scale through a door that was already open," ReliaQuest said. In light of the attack, ReliaQuest said "defenders should revoke and rotate the credentials and OAuth tokens - refresh tokens included - for Salesforce-connected integrations and restrict their API access, along with SIEM and SOAR API access, to known allow listed infrastructure." How many Klue customers lost data in the attack isn't clear. The company didn't immediately respond to a request for comment. Last September, it counted 190,000 users. Managed security platform provider Huntress, a Klue customer, said Thursday it lost CRM data in the attack and published its own timeline of the campaign, based on multiple logs it reviewed, alongside Klue-shared indicators of compromise. Huntress said employees began receiving emails Tuesday that threatened to leak the stolen data unless the company began ransom negotiations within 48 hours. According to Huntress's assessment, the campaign began five days earlier on June 11 "when attackers pushed a code update capable of collecting OAuth tokens Klue's customers use to connect Klue to their own systems." Klue appeared to detect the attack by the next day, including spotting unusual connections from its environment to a remote server, and issued its first alert to customers on Saturday. Klue has continued to issue "regular updates" through its customer portal, which requires a password to access, Huntress said, adding that the market intelligence firm "rapidly deactivated the OAuth credentials for all customers" and temporarily suspended integrations between its app and not only Salesforce, but also Chorus, Clari, Gong, Google Drive, HubSpot, SharePoint, Slack App and Zoom. While attackers continue to target Salesforce data, such information may not always be considered ultra-sensitive. Huntress said that in its case, stolen data "includes business contacts, price quotes and other sales-related data and messaging," and that "no threat data, passwords, payment card information or engineering data relating to the Huntress agent or telemetry we collect was affected." The company said the breach appears to have resulted only in the exfiltration of its CRM data. Salesforce OAuth Abuse No attacker or group has yet claimed credit for the hit on Klue and its customers. The attack follows a now widely used playbook, often tied to such groups or clusters of threat activity as ShinyHunters and UNC6395. Since June 2025, the extortion group ShinyHunters has repeatedly targeted CRM data, oftentimes in combination with voice phishing attacks. Another notable attack in August 2025, attributed by Google to UNC6395 - which may involve elements of ShinyHunters - targeted Salesloft Drift integrations with Salesforce instances to steal data. "The common thread is the abuse of OAuth tokens or credentials from a trusted third-party vendor. These integrations are non-human identities with persistent, often broad access to sensitive data, yet they are typically monitored far less closely than employee accounts," ReliaQuest said. "That gap is why a 24-hour automated query loop could run from a 'trusted' integration account without tripping the usual alarms," it said. The company added that the tactics used in the Klue attack most resemble UNC6395's targeting of Salesloft Drift. Whether that involves the same or copycat attackers isn't yet clear.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗