Klue breach exposes cybersecurity firms through Salesforce integration attack

A breach at a market-intelligence vendor meant to help companies sharpen sales strategy ended up exposing some of the cybersecurity industry’s own customer records. Huntress, HackerOne, Jamf, Recorded Future and Tanium were among the companies affected after attackers abused Klue’s integrations to reach Salesforce environments through trusted connections.

The intrusion began on June 11, 2026, when attackers compromised Klue’s integration infrastructure, collected OAuth tokens and used them to access customer Salesforce data. Klue said it became aware of malicious activity on June 12 and moved quickly to deactivate customer OAuth credentials, disable multiple integrations and bring in CrowdStrike and law enforcement. Salesforce later disabled the Klue Battlecards app integration on June 17, saying it had detected unusual activity tied to the app’s connection to Salesforce.

The incident highlights how a single third-party platform can become a conduit into multiple companies at once. ReliaQuest said the attackers used a compromised Klue Battlecards integration to exfiltrate Salesforce CRM data through OAuth tokens and automated REST API queries, describing the pattern as similar to recent third-party OAuth-abuse campaigns aimed at Salesforce ecosystems. SecurityWeek reported a burst of nearly 1,000 queries in 15 minutes and extraction windows that lasted more than six hours, suggesting the theft was both automated and sustained.

For the victims, the stolen material appears to have been business data rather than core product systems. Huntress said copied information included business contacts, price quotes and sales-related communications, but not threat data, passwords, payment card information or engineering data tied to its agent or telemetry. Recorded Future said the impact was limited to business data fields in its Salesforce database, including client contact names and email addresses, and that some contract information may also have been included. Jamf said a third party gained unauthorized access to Jamf Salesforce instance data through Klue’s integration.

The victim list has continued to widen beyond the first companies named, with ReliaQuest, Sprout Social, Gong and Insurity also publicly reported or confirmed as affected. Huntress said emails from the extortion group began arriving on June 16, warning recipients that their data had been downloaded and demanding contact within 48 hours. The group calling itself Icarus later claimed responsibility and threatened to publish the material, underscoring how supply-chain exposure can turn a single SaaS compromise into a broader extortion campaign.

Salesforce said the issue involved the app’s connection to Salesforce, not a vulnerability in Salesforce itself. That distinction matters: the breach was not about one company losing control of its own perimeter, but about what happens when vendors, sales platforms and trusted integrations share the same attack surface.