Attackers exploited a forgotten but still-active Klue credential to gain access, implanted token-harvesting code to steal OAuth tokens, and used Python scripts for 24-hour data extraction from Salesforce systems of customers including Huntress and Recorded Future.