SaaS Supply Chain Attack: Klue Breach Exposes Salesforce Data

The enterprise defense perimeter is no longer defined by a traditional firewall, but by the complex web of API connections tying cloud platforms together. This architectural vulnerability has been laid bare by a sophisticated SaaS supply chain attack targeting the market-intelligence platform Klue, which ultimately exposed the sensitive Salesforce Customer Relationship Management (CRM) environments of several prominent technology and cybersecurity firms. By bypassing traditional identity boundaries, threat actors obtained persistent, credential-free access to sensitive business pipelines, highlighting the systemic dangers of integration-layer exploitation.

Understanding the Blueprint of a Modern SaaS Supply Chain Attack

According to official disclosures and incident response reports, the compromise began on June 11, 2026, when threat actors exploited an active, legacy testing credential to gain unauthorized access to Klue’s backend infrastructure. This prototype credential, a relic of early-stage software development, had remained dormant but fully functional within the environment—a classic gap in enterprise credential lifecycle management. Once inside, the attackers did not seek to exfiltrate database backups directly; instead, they targeted the integration engine that facilitates automated synchronization between Klue and its downstream customers.

The threat actors deployed a malicious code update directly to Klue’s integration infrastructure, specifically targeting the “Klue Battlecards” application. This unauthorized code was designed to harvest active OAuth tokens used by customers to connect Klue to other platforms. Because OAuth tokens act as cryptographically signed digital keys that authorize seamless, password-free communication between cloud platforms, the attackers were able to acquire pre-authorized access into customer environments. This design feature of modern cloud applications completely bypassed standard perimeter defenses, such as multi-factor authentication (MFA) and single sign-on (SSO) controls, which secure initial logins but do not govern established backend API sessions.

The Exfiltration Playbook: Inside the Attackers’ REST API Queries

Technical analysis provided by security researchers, notably from ReliaQuest, paints a highly detailed picture of how the attackers capitalized on their stolen credentials. Armed with the harvested OAuth tokens, the adversaries did not need to utilize legitimate administrative panels or human user interfaces. Instead, they leveraged automated Python scripts executing REST API queries directly against Salesforce endpoints. The attack sequence unfolded in two distinct, meticulously executed phases:

• Phase 1: Silent Footprint and Slow Extraction – The attackers began by conducting reconnaissance of each victim’s data schema, enumerating the organization’s object catalog using the endpoint GET /services/data/v59.0/sobjects. Once the schema was mapped, automated scripts initiated a slow, looped query sequence against Salesforce’s query endpoint (/services/data/v59.0/query). By paginating results through the QueryMore cursor over an approximate 24-hour period, the threat actor attempted to blend in with legitimate API synchronization traffic, mimicking the exact behavior of the Klue Battlecards integration.
• Phase 2: High-Velocity Burst Extraction – In several victim environments, the attackers abandoned stealth in favor of speed. Researchers observed a concentrated, heavy burst of nearly 1,000 queries fired within a brief 15-minute window. In other environments, sustained, high-volume data exfiltration windows persisted for more than six hours. This shift suggests a pivot to high-priority sales pipeline targets or an effort to maximize data harvesting before security operations centers (SOCs) could detect the anomalous activity.

Remarkably, the automation was identifiable by the use of Python-urllib user-agent strings, indicating that the threat actors did not attempt to mask their tooling’s core library signatures. Despite this telltale sign, because the traffic authenticated using valid OAuth credentials and originated from infrastructure outside the victims’ networks, traditional security layers initially flagged the queries as legitimate partner-vendor activity.

Downstream Impact: Cybersecurity Giants in the Crosshairs

The ultimate targets of this compromise were not Klue’s own internal assets, but the highly sensitive commercial datasets stored within the Salesforce instances of its enterprise clientele. By June 22, 2026, a growing list of major technology and cybersecurity vendors confirmed that their CRM systems had been accessed and copied during the attackers’ window of opportunity. The impacted firms included:

• Huntress, which confirmed that the exposed data included business names, client contact information, pricing quotes, and specific products used.
• Recorded Future, which reported that business-facing records containing client contact details and deal histories were copied.
• Jamf, which disclosed that the integration had been used by an unauthorized party to access and exfiltrate localized CRM records.
• Tanium and ReliaQuest, both of which validated that their Salesforce instances were queried by the unauthorized third party using the compromised integration.
• HackerOne, which published a security advisory confirming that CRM-related data—such as business relationship records and sales activity details—was copied. HackerOne reassured stakeholders that its strict data-segmentation policies prohibited any customer vulnerability data from residing in its Salesforce instance.
• Sprout Social, Gong, and Insurity, which reported varying degrees of exposure, largely confined to business contact details, pricing structures, and commercial sales communications.

Every affected organization emphasized that the breach did not compromise their core product infrastructure, internal network databases, customer telemetry, billing systems, passwords, or security analysis tools. The exposure was strictly compartmentalized to the CRM and commercial data accessible via the permissions granted to the Klue Battlecards integration.

Attribution and Extortion: The Rise of the ‘Icarus’ Threat Actor

Responsibility for the campaign has been claimed by “Icarus,” an emerging extortionist threat group that has been active since April 2026. Rather than deploying traditional encrypting ransomware to paralyze corporate endpoints, Icarus utilizes a pure data-exfiltration and extortion model. The group has listed Klue and several of the affected organizations on its dark web leak site, publishing proof-of-concept screenshots of the stolen Salesforce CRM data in an effort to force the companies into payment negotiations.

Rather than relying on public email accounts or compromised corporate domains, the group has reportedly initiated extortion demands and communications through secure, decentralized messaging platforms such as Session Messenger. To support containment, digital forensics, and incident response, Klue immediately engaged the cybersecurity firm CrowdStrike. In tandem, Salesforce stepped in on June 17, 2026, by completely disabling the Klue Battlecards application integration across its global platform, cutting off the attackers’ access vectors even in environments where local administrators had not yet revoked the tokens.

The Broader Pattern: Echoes of Drift and Gainsight Compromises

Security experts emphasize that the Klue incident is not an isolated event, but part of a persistent, escalating trend. Throughout 2025 and early 2026, the Salesforce ecosystem was hit by similar OAuth-abuse campaigns targeting trusted SaaS integrations. Understanding this history is critical to recognizing how threat actors have systematically shifted their focus:

1. The Salesloft Drift Campaign (August 2025) – Attributed to the threat cluster tracked as UNC6395 (frequently associated with ShinyHunters), this attack exploited compromised OAuth tokens linked to the Drift AI customer-engagement integration. Attackers breached over 700 Salesforce accounts, looking specifically for AWS and Snowflake access credentials stored insecurely within CRM records.
2. The Gainsight Incident (November 2025) – Shortly thereafter, attackers compromised Gainsight’s integration layer. Security advisories revealed that hackers leveraged credentials gained during the earlier Salesloft Drift breach to pivot into Gainsight, ultimately stealing active OAuth refresh tokens to exfiltrate bulk datasets from enterprise Salesforce instances.

The repetition of this playbook underscores a critical shift in cybercrime: threat actors have realized that targeting individual, highly secured enterprises is less efficient than compromising the third-party SaaS vendors those enterprises trust. By breaching a single integration partner like Klue, adversaries can effortlessly unlock the digital front doors of hundreds of high-value downstream corporations simultaneously.

Hardening the Integration Perimeter: Strategic Remediation for Enterprises

The Klue breach serves as a stark reminder that integration security must be treated with the same rigor as endpoint and user security. To prevent future incidents, organizations must transition from a mindset of implicit trust to a strict Zero Trust architecture at the API layer. Security leaders recommend several critical hardening steps:

• Implement Strict Least-Privilege Scoping – Integrations should never be granted global read/write access to CRM environments. Administrators should configure OAuth scopes to the absolute minimum required for the integration to function, segmenting access so that a compromised token cannot be used to query unrelated tables or objects.
• Establish Real-Time SaaS Integration Inventories – Organizations must maintain a continuously updated catalog of every third-party application authorized via OAuth. This inventory should detail the owner of the integration, the specific data elements accessed, and the expiration policies of the associated tokens.
• Enforce Short-Lived Tokens and Frequent Rotation – Long-lived OAuth tokens and refresh tokens represent high-value targets. Organizations should configure their CRM and identity providers to enforce short expiration windows, forcing integrations to dynamically re-authenticate and reducing the lifetime utility of stolen tokens.
• Restrict API Access by IP and Source Network – Although SaaS-to-SaaS communication is cloud-native, organizations should work with integration vendors to establish trusted IP ranges. By restricting API access to known, approved netblocks associated with the vendor’s actual infrastructure, defenders can block automated scripts executing from unauthorized threat actor proxy networks or compromised servers.
• Monitor and Alert on Anomalous API Activity – Security operations teams must ingest CRM access and event logs into SIEM systems. Continuous monitoring should look for rapid object catalog enumerations (such as GET /sobjects requests), sudden bursts in query volumes (e.g., nearly 1,000 queries in 15 minutes), and the use of unusual library-based user-agents like Python-urllib.

As enterprise operations increasingly rely on seamless, automated cloud integrations, the security of the API ecosystem will dictate the resilience of the modern business. The compromise of Klue’s legacy credentials has illustrated how easily a forgotten backend door can lead to the systematic exposure of high-value corporate pipelines. Only by auditing, monitoring, and strictly limiting the permissions of their trusted SaaS dependencies can enterprises hope to break the cycle of OAuth-abuse supply chain attacks.