Skip to content

Klue Breach: Attackers Stole OAuth Tokens and Accessed Customer Salesforce Data

The Bottom Line: Attackers exploited a forgotten but still-active Klue credential to gain access, implanted token-harvesting code to steal OAuth tokens, and used Python scripts for 24-hour data extraction from Salesforce systems of customers including Huntress and Recorded Future.

At the competitive intelligence platform Klue, attackers infiltrated via a disabled legacy credential, stole OAuth tokens from their customers, and accessed Salesforce CRM data across multiple customer systems. Salesforce subsequently blocked the Klue integration temporarily for new connections.

The competitive intelligence platform Klue fell victim to a breach on June 12, 2024. Attackers gained access via an old integration credential that Klue originally created for prototyping a later-abandoned integration and never disabled. From there, they obtained OAuth tokens that Klue customers use to connect with Salesforce and other platforms, and accessed data across multiple customer systems. Klue CEO Jason Smith confirmed this on June 19.

According to Huntress’ investigation, attackers deployed a code update to a Klue integration system specifically designed to intercept customer OAuth tokens. Klue employees later identified and removed this token-theft code. Affected customers include cybersecurity providers Huntress and Recorded Future, as well as an undisclosed number of additional Klue customers. Klue subsequently disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.

According to ReliaQuest analysis, attackers ran automated Python scripts against the Salesforce REST API of the compromised systems for approximately 24 hours. The query volume was unusually high and could only have been detected with API-layer logging. According to ReliaQuest, Salesforce disabled the Klue Battlecards integration and prohibited new connections indefinitely due to indicators of unauthorized data access. Salesforce emphasized that no vulnerability in its platform caused the breach, but rather Klue’s app connection alone was compromised.

CISOs should use this as an occasion to revoke and re-issue all OAuth and refresh tokens for Klue’s Salesforce integration, review Salesforce API logs for unusual query volumes, and restrict third-party integration accounts to known IP ranges. ReliaQuest warns that every third-party app with OAuth access to core platforms like Salesforce is part of an organization’s attack surface and requires continuous monitoring.


Source: www.csoonline.com · Published June 22, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: