CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

Hackers Breached Klue Integration to Steal Salesforce CRM Data via OAuth Tokens

Cybersecurity News Archived Jun 18, 2026 ✓ Full text saved

Threat actors exploited a trusted third-party SaaS integration to silently harvest enterprise CRM data, marking the latest chapter in an escalating wave of OAuth-abuse attacks targeting Salesforce ecosystems. Researchers at ReliaQuest observed attackers leveraging a compromised Klue Battlecards integration, a competitive-intelligence platform that synchronizes battlecard and win/loss data with Salesforce, to exfiltrate large volumes of […] The post Hackers Breached Klue Integration to Steal Sale

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Cyberattack response service Threat intelligence platform Operating Systems HomeCyber Security Hackers Breached Klue Integration to Steal Salesforce CRM Data via OAuth Tokens By Guru Baran June 18, 2026 Threat actors exploited a trusted third-party SaaS integration to silently harvest enterprise CRM data, marking the latest chapter in an escalating wave of OAuth-abuse attacks targeting Salesforce ecosystems. Researchers at ReliaQuest observed attackers leveraging a compromised Klue Battlecards integration, a competitive-intelligence platform that synchronizes battlecard and win/loss data with Salesforce, to exfiltrate large volumes of customer relationship management (CRM) data from enterprise environments. In response, Salesforce has officially disabled the Klue Battlecards app’s connection to its platform pending further investigation, warning that the unusual activity “may have resulted in unauthorized access to a subset of customer data.” Salesforce confirmed the issue is not a vulnerability within its own platform, but rather a compromise of Klue’s integration service account credentials. The attackers authenticated through compromised Klue integration service accounts, generated OAuth tokens, and deployed automated Python scripts identifiable by Python-urllib user-agent strings to systematically drain CRM records via Salesforce’s REST API. The attack followed a two-phase exfiltration pattern: Phase 1 – Slow extraction: Attackers first enumerated the organization’s object catalog via GET /services/data/v59.0/sobjects, then ran sustained looped REST API queries over nearly 24 hours, paginating results through the QueryMore cursor in a pattern designed to mimic legitimate integration traffic. Phase 2 – Burst extraction: In at least one environment, attackers sent nearly 1,000 queries within a 15-minute window, trading stealth for speed — suggesting either time pressure or a targeted pivot to high-value records. A separate incident saw sustained extraction lasting over 6 hours. The CRM data accessible through the integration could include account records, contact details, deal outcomes, and pricing data, depending on how each organization scoped the integration’s permissions. ReliaQuest researchers noted the attack methodology closely mirrors campaigns attributed to ShinyHunters and UNC6395, two threat clusters responsible for high-profile Salesforce OAuth-abuse incidents throughout 2025 and 2026. In June 2025, ShinyHunters used voice phishing to trick employees into authorizing malicious connected apps, then bulk-extracted Salesforce data for extortion. In August 2025, UNC6395 stole OAuth refresh tokens from the Salesloft Drift integration and queried Salesforce data across hundreds of organizations — the closest public analog to this incident. However, attribution remains unconfirmed. Key differences exist: UNC6395 was previously used python-requests, Salesforce-CLI, and Tor infrastructure, while this activity used a generic Python-urllib agent and data-center hosting. No extortion demands or leak-site postings have been observed as of publication. The core vulnerability here is structural. Third-party SaaS integrations function as non-human identities with persistent, often broadly scoped API access to sensitive data. Because they authenticate with valid credentials, they rarely trigger the behavioral alerts associated with user account compromise, allowing a 24-hour automated query loop to run undetected from a “trusted” account. ReliaQuest’s GreyMatter platform correlated the OAuth token refresh, sustained API query spikes, and burst extraction activity into a single intrusion narrative, demonstrating why API-layer visibility is critical in integration-heavy environments. Organizations using Klue or any Salesforce-connected integration should act immediately: Revoke and rotate all credentials — including service-account passwords, OAuth refresh tokens, client secrets, and active OAuth grants. Revoking the refresh token, not just the password, is what terminates persistent access. Audit Salesforce REST API logs — hunt for unusual query volumes, repeated pagination, Python-urllib user-agents, and access from unknown IP ranges. Enforce IP allowlisting — restrict connected app and SIEM/SOAR API access to approved infrastructure only, blocking and alerting on all out-of-scope requests. ReliaQuest assesses it is highly likely that threat actors will continue targeting Salesforce-connected third-party integrations through the remainder of 2026, warning that the OAuth-abuse playbook is “repeatable, effective, and now widely adopted.” Artifact Type 138.226.246[.]94 IP Address 212.86.125[.]24 IP Address 213.111.148[.]90 IP Address 94.154.32[.]160 IP Address Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News BugHunter – Bug Bounty Toolkit Powered by Claude and Free AI Providers SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions Microsoft Teams Introduces Office Attendance Tracking via Wi-Fi Connection Solana FakeFix Campaign Uses 25 Malicious npm and PyPI Packages to Steal Developer Secrets Latest News Cyber Security News Hackers Can Leverage SQL Server 2025 AI Features to Exfiltrate Sensitive Data Cyber Security News Hackers Abuse Microsoft Fondue.exe to Side-Load APPWIZ.cpl and Execute Malware Cyber Security News Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection AI Hackers Abuse Claude.ai Shared Chat Feature to Host the ClickFix Social Engineering Instructions Cisco Critical Cisco ISE Vulnerability Allows Attacker to Execute Malicious Code Remotely
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗