Salesforce has taken significant action, disabling its integration with the Klue Battlecards app following a security incident detected on June 11, 2026. The move aims to protect customer data after unusual activity was observed within the Klue app’s connection to the Salesforce platform. Organizations will be unable to link to Salesforce through the app until further notice.
The cybersecurity company Huntress, a customer of Klue, reported that their Salesforce data, including business contacts, price quotes, and sales-related messages, was compromised and exfiltrated. Crucially, no sensitive information such as threat data, passwords, payment card details, or engineering data related to Huntress’s telemetry was affected, according to their statement.
Salesforce Disables Klue Integration Amid Data Breach Concerns
Salesforce stated that the security teams detected unusual activity involving the Klue app, which may have led to unauthorized access to a subset of customer data. The company emphasized that this issue is isolated to the Klue app’s connection and does not indicate a vulnerability within the Salesforce platform itself. This proactive measure highlights the critical importance of third-party integration security in the enterprise software landscape.
The incident has been linked to an extortion group known as Icarus. Klue confirmed that it detected unauthorized activity affecting a portion of its integration infrastructure on June 12, 2026. The attackers reportedly gained access through a compromised legacy credential associated with an integration service, a vulnerability that allowed them to access data within connected customer environments via OAuth tokens.
Klue CEO Jason Smith clarified that the breach was limited to the affected third-party platforms, and there is currently no evidence suggesting that customer content stored directly within the Klue platform itself was impacted. The company has since been taking steps to revoke affected credentials and tokens, remove unauthorized code, and investigate the full scope of the incident.
The nature of the attack involved the threat actor pushing a code update capable of collecting OAuth tokens used by Klue customers to connect the service to their systems. This allowed the adversary to query customer CRM tools directly and subsequently exfiltrate sensitive data.
Huntress Employees Receive Extortion Warnings
As of June 16, 2026, some employees at Huntress reported receiving emails with the subject line “top secret email.” These messages warned that their Salesforce data had been downloaded and gave them a 48-hour ultimatum to communicate with the attackers, urging them to “Do the right decision.”
Klue’s investigation revealed that the threat actor likely leveraged a long-disused but still active credential to initiate the compromise. This credential was originally created by Klue for a prototyping purpose for an integration service that was later abandoned. The attackers then used this initial access to steal OAuth tokens, which facilitated the subsequent data exfiltration from connected customer accounts.
Details about the Icarus actor remain scarce, with their activity noted as beginning on April 28, 2026, and claiming two victims to date. However, the methodology employed in this data theft campaign bears resemblance to previous attack waves attributed to threat groups like ShinyHunters and UNC6395. The use of OAuth token abuse in conjunction with CRM platforms is a growing concern in cybersecurity circles.
ReliaQuest’s analysis of the Klue integration abuse points to similarities with previous incidents involving third-party OAuth abuse, including the Salesloft, Drift, and Gainsight compromises that targeted Salesforce environments in the past year. This pattern suggests a recurring playbook for adversaries seeking to exploit trusted integrations.
Researchers at ReliaQuest, Thassanai McCabe and Alexa Feminella, observed that in these attacks, adversaries authenticate through compromised Klue integration service accounts, generate OAuth tokens, and then deploy automated Python scripts. These scripts are designed to enumerate an organization’s data catalog and execute extensive queries against the Salesforce REST API, performing bulk data retrieval operations over extended periods. This often involves a concentrated burst of queries, indicating a sustained effort to extract large volumes of CRM records.
The number of Salesforce customers potentially affected by this latest attack remains unclear, though Klue has stated it is directly communicating with impacted clients to provide updates and assist with their response. The recurring theme across these incidents is the exploitation of OAuth tokens or credentials from trusted third-party vendors. These non-human identities often possess broad and persistent access to sensitive data, yet they are typically monitored with less rigor than employee accounts, creating a significant security gap that attackers can exploit undetected for extended periods.
The ongoing investigation into the Klue breach and similar incidents will likely focus on enhancing security monitoring for third-party integrations and strengthening the authentication and authorization mechanisms used by these services. The future will likely see increased scrutiny on how businesses manage and secure their connected applications to prevent similar compromises in the evolving threat landscape.

