Salesforce Data Thefts Continue via Klue App Compromise
Dark ReadingArchived Jun 18, 2026✓ Full text saved
Klue's Battlecards is now the third integrated application that has been compromised to steal customers' Salesforce data, and victims include Huntress, the cybersecurity vendor.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
APPLICATION SECURITY
THREAT INTELLIGENCE
NEWS
Salesforce Data Thefts Continue via Klue App Compromise
Klue's Battlecards is now the third integrated application that has been compromised to steal customers' Salesforce data, and victims include Huntress, the cybersecurity vendor.
Rob Wright,Senior News Director,Dark Reading
June 18, 2026
5 Min Read
SOURCE: BENJAMIN FANJOY VIA GETTY
More Salesforce instances have been breached by threat actors abusing a third-party application integration, this time through Klue's Battlecards app.
The attacks, which are the latest in a series of breaches against Salesforce customers, came to light on June 17, when the CRM vendor announced it had suspended integration with Battlecards in response to a security incident.
"Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app's connection to Salesforce," the company said in an alert. "This issue is limited to Klue's app connection and does not arise from a vulnerability within the Salesforce platform."
In a blog post yesterday, ReliaQuest confirmed that threat actors gained access to Salesforce instances using Klue OAuth tokens and exfiltrated customer data. ReliaQuest researchers also noted a pattern similar to previous attacks involving third-party app integrations.
Related:INC Ransomware Thrives by Mastering the Basics
"The activity follows the same third-party OAuth-abuse playbook behind the Salesloft Drift and Gainsight compromises that rattled Salesforce ecosystems throughout 2025 and 2026, reinforcing that trusted software-as-a-service (SaaS) integrations remain a high-value yet little-monitored route to reach sensitive data," according to the ReliaQuest blog post.
Latest Salesforce Breaches Stem From Klue Compromise
In the attacks observed by ReliaQuest, the threat actors authenticated through a compromised Klue integration service account and generated OAuth tokens that granted them access to customers' integrated Salesforce instances. The attacks then automated Python scripts to exfiltrate data via the Salesforce REST API in a period of approximately 24 hours.
The attacks included "a concentrated burst of nearly a thousand queries in 15 minutes" against at least one environment, according to ReliaQuest researchers, and saw sustained exfiltration of more than six hours. "Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records," the researchers wrote.
A ReliaQuest spokesperson tells Dark Reading the 24-hour window is consistent with a bulk-extraction operation rather than a disrupted attack. "The attacker appears to have enumerated available data, extracted what was accessible, and moved on once they had it," the spokesperson says. "It's also possible the attacker was configuring tooling and exfiltrating data from other targets during that same window."
Related:Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices
It's unclear how many Salesforce customers were affected by the latest attacks, but at least one company disclosed that its Salesforce data was compromised. In a blog post today, cybersecurity vendor Huntress said attackers copied data that "includes business contacts, price quotes, and other sales-related data and messaging."
Huntress also shed additional light on the threat activity, which it called "a major supply chain attack." According to the firm, the threat actors breached a backend system for Klue's market intelligence platform.
"Klue's compromise began on June 11, when some anomalous behavior took place in a system that connects with various integrations to other software platforms," the blog post stated. "The attackers pushed a code update capable of collecting OAuth tokens Klue's customers use to connect Klue to their own systems."
The Klue breach, according to Huntress, appears to have stemmed from "a long-disused but still active credential" that was initially created for Klue to test a third-party integration that was never ultimately deployed. The attackers used this credential to gain access to Klue's environment.
Huntress said Klue became aware of the malicious activity on June 12 and credited the company for its fast response and forthcoming updates on the situation (which required Klue accounts to view). According to Huntress, Klue "rapidly deactivated the OAuth credentials for all customers," and disabled its integration with Salesforce as well as several other apps, including HubSpot, Microsoft SharePoint, Zoom, and Google Drive.
Related:Fileless Phantom Stealer Targets Browser Credentials
Dark Reading contacted Klue for comment, but the company did not respond by press time.
Salesforce Attacks Tied to Icarus Extortion Group
While threat actors associated with the ShinyHunters cybercrime group were responsible for previous Salesforce attacks, the latest wave appears to be the work of a different group: Icarus.
On June 16, Huntress received an email from threat actors informing the company that they possessed the stolen Salesforce data and would go public within 24 hours if Huntress did not "do the right decision." The extortion email included a unique key for a communications platform called Session, presumably for victims to negotiate a ransom payment.
The Icarus Dark Web leak site claims some "big corps" will be listed as victims soon. Source: Dark Reading
Huntress discovered that the Session Messenger ID in the email matched the same values included on the Dark Web leak site for Icarus, an emerging threat group that first arrived on the threat landscape in April. The Icarus leak site currently has one victim listed, though a "news" post published on June 12 says "big corps getting listed. be ready."
Additionally, Huntress found the emails it received were sent from three corporate mail domains for an Australian company called Global Retail Brands, an appliance and home goods retailer. The vendor's investigators believe Icarus actors compromised the retailer's infrastructure and are using its mail server for malicious purposes. Huntress reported the activity to the Australian Cyber Security Centre.
While the investigations into the breaches continue, ReliaQuest urged organizations to immediately revoke and reissue "everything tied to the Klue integration, including the service-account password, refresh tokens, client secrets, and active OAuth grants." The vendor also recommended that security teams review their Salesforce API activity for unusual REST API query volume and other anomalies, and enforce IP allowlisting for third-party integration accounts and connected apps to block any access outside approved sources.
About the Author
Rob Wright
Senior News Director, Dark Reading
Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends.
Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. At TechTarget and Dark Reading, he has won several Azbee awards, including the 2026 National Silver Award for a series on vibe coding.
At Dark Reading, Rob currently covers security operations, cloud security, and Internet infrastructure. He has a keen interest in malvertising activity and the certificate authority industry, and has written extensively on both topics. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS