Klue breach exposes customer Salesforce data after OAuth token theft

A credential left active after a 2022 pilot became the weak point that let attackers move into Klue’s integration infrastructure and reach customer Salesforce data through trusted connections. Klue said it discovered unauthorized activity on June 12, one day after the intrusion began, and later tied the incident to OAuth tokens that had been collected from its environment.

The security failure was basic, not exotic: a credential that should have been revoked stayed live long enough to help expose customer records. Klue said it deactivated customer OAuth credentials, disabled multiple integrations, and brought in CrowdStrike and law enforcement after the breach came to light. Salesforce then disabled the Klue Battlecards app integration on June 17 after detecting unusual activity tied to the app’s connection to Salesforce.

The fallout spread across a widening list of customers that publicly named themselves, including Huntress, HackerOne, Jamf, Recorded Future, Tanium, ReliaQuest, Sprout Social, Gong and Insurity. Huntress said the stolen material included business contact information, price quotes and sales-related communications, but not telemetry, passwords, payment card data or engineering data. Huntress also said the extortion group began sending emails on June 16 and posted stolen data on June 22, while noting that some filenames on the leak site were misleading and often contained routine logs or limited metadata rather than sensitive source material.

Recorded Future said its exposure was limited to business data fields in Salesforce, including client contact names, email addresses and possibly some contract information. That pattern underscores the risk in SaaS ecosystems: a single compromised integration can open a window into multiple companies at once, even when the vendor’s core product is not directly breached. The group calling itself Icarus claimed responsibility, and the incident now stands as another example of how routine access-control lapses can turn a trusted connection into a broad data exposure.