CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

Salesforce Data Thefts Continue via Klue App Compromise

Dark Reading Archived Jun 18, 2026 ✓ Full text saved

Klue's Battlecards is now the third integrated application that has been compromised to steal customers' Salesforce data, and victims include Huntress, the cybersecurity vendor.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES CYBER RISK APPLICATION SECURITY THREAT INTELLIGENCE NEWS Salesforce Data Thefts Continue via Klue App Compromise Klue's Battlecards is now the third integrated application that has been compromised to steal customers' Salesforce data, and victims include Huntress, the cybersecurity vendor. Rob Wright,Senior News Director,Dark Reading June 18, 2026 5 Min Read SOURCE: BENJAMIN FANJOY VIA GETTY More Salesforce instances have been breached by threat actors abusing a third-party application integration, this time through Klue's Battlecards app. The attacks, which are the latest in a series of breaches against Salesforce customers, came to light on June 17, when the CRM vendor announced it had suspended integration with Battlecards in response to a security incident.  "Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app's connection to Salesforce," the company said in an alert. "This issue is limited to Klue's app connection and does not arise from a vulnerability within the Salesforce platform." In a blog post yesterday, ReliaQuest confirmed that threat actors gained access to Salesforce instances using Klue OAuth tokens and exfiltrated customer data. ReliaQuest researchers also noted a pattern similar to previous attacks involving third-party app integrations.  Related:INC Ransomware Thrives by Mastering the Basics "The activity follows the same third-party OAuth-abuse playbook behind the Salesloft Drift and Gainsight compromises that rattled Salesforce ecosystems throughout 2025 and 2026, reinforcing that trusted software-as-a-service (SaaS) integrations remain a high-value yet little-monitored route to reach sensitive data," according to the ReliaQuest blog post. Latest Salesforce Breaches Stem From Klue Compromise In the attacks observed by ReliaQuest, the threat actors authenticated through a compromised Klue integration service account and generated OAuth tokens that granted them access to customers' integrated Salesforce instances. The attacks then automated Python scripts to exfiltrate data via the Salesforce REST API in a period of approximately 24 hours.  The attacks included "a concentrated burst of nearly a thousand queries in 15 minutes" against at least one environment, according to ReliaQuest researchers, and saw sustained exfiltration of more than six hours. "Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records," the researchers wrote. A ReliaQuest spokesperson tells Dark Reading the 24-hour window is consistent with a bulk-extraction operation rather than a disrupted attack. "The attacker appears to have enumerated available data, extracted what was accessible, and moved on once they had it," the spokesperson says. "It's also possible the attacker was configuring tooling and exfiltrating data from other targets during that same window." Related:Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices It's unclear how many Salesforce customers were affected by the latest attacks, but at least one company disclosed that its Salesforce data was compromised. In a blog post today, cybersecurity vendor Huntress said attackers copied data that "includes business contacts, price quotes, and other sales-related data and messaging." Huntress also shed additional light on the threat activity, which it called "a major supply chain attack." According to the firm, the threat actors breached a backend system for Klue's market intelligence platform.  "Klue's compromise began on June 11, when some anomalous behavior took place in a system that connects with various integrations to other software platforms," the blog post stated. "The attackers pushed a code update capable of collecting OAuth tokens Klue's customers use to connect Klue to their own systems." The Klue breach, according to Huntress, appears to have stemmed from "a long-disused but still active credential" that was initially created for Klue to test a third-party integration that was never ultimately deployed. The attackers used this credential to gain access to Klue's environment. Huntress said Klue became aware of the malicious activity on June 12 and credited the company for its fast response and forthcoming updates on the situation (which required Klue accounts to view). According to Huntress, Klue "rapidly deactivated the OAuth credentials for all customers," and disabled its integration with Salesforce as well as several other apps, including HubSpot, Microsoft SharePoint, Zoom, and Google Drive. Related:Fileless Phantom Stealer Targets Browser Credentials Dark Reading contacted Klue for comment, but the company did not respond by press time. Salesforce Attacks Tied to Icarus Extortion Group While threat actors associated with the ShinyHunters cybercrime group were responsible for previous Salesforce attacks, the latest wave appears to be the work of a different group: Icarus.  On June 16, Huntress received an email from threat actors informing the company that they possessed the stolen Salesforce data and would go public within 24 hours if Huntress did not "do the right decision." The extortion email included a unique key for a communications platform called Session, presumably for victims to negotiate a ransom payment.    The Icarus Dark Web leak site claims some "big corps" will be listed as victims soon. Source: Dark Reading Huntress discovered that the Session Messenger ID in the email matched the same values included on the Dark Web leak site for Icarus, an emerging threat group that first arrived on the threat landscape in April. The Icarus leak site currently has one victim listed, though a "news" post published on June 12 says "big corps getting listed. be ready." Additionally, Huntress found the emails it received were sent from three corporate mail domains for an Australian company called Global Retail Brands, an appliance and home goods retailer. The vendor's investigators believe Icarus actors compromised the retailer's infrastructure and are using its mail server for malicious purposes. Huntress reported the activity to the Australian Cyber Security Centre. While the investigations into the breaches continue, ReliaQuest urged organizations to immediately revoke and reissue "everything tied to the Klue integration, including the service-account password, refresh tokens, client secrets, and active OAuth grants." The vendor also recommended that security teams review their Salesforce API activity for unusual REST API query volume and other anomalies, and enforce IP allowlisting for third-party integration accounts and connected apps to block any access outside approved sources. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends.  Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. At TechTarget and Dark Reading, he has won several Azbee awards, including the 2026 National Silver Award for a series on vibe coding.  At Dark Reading, Rob currently covers security operations, cloud security, and Internet infrastructure. He has a keen interest in malvertising activity and the certificate authority industry, and has written extensively on both topics. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗