Threat actors silently exfiltrated enterprise Salesforce CRM data by hijacking a trusted third-party OAuth integration, confirming that non-human identities are now the preferred attack vector in SaaS ecosystems.
Researchers at ReliaQuest have uncovered a sophisticated data theft campaign in which attackers compromised the Klue Battlecards integration, a competitive intelligence platform widely used across enterprise sales teams, to silently exfiltrate Salesforce CRM records from multiple organizations.
The incident, detected in June 2026, marks the latest and most technically sophisticated chapter in an escalating pattern of OAuth abuse attacks targeting Salesforce-connected SaaS environments.
In direct response, Salesforce officially disabled the Klue Battlecards app’s connection to its platform, stating: “Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce.”
Salesforce explicitly confirmed that the issue does not stem from any vulnerability within its platform but rather from a compromise of Klue’s integration service account credentials.
Attackers began by authenticating through a compromised Klue integration service account a non-human identity that already held valid, persistent OAuth access to target Salesforce environments.
After generating OAuth tokens, they deployed automated Python scripts, fingerprinted by Python-urllib user-agent strings, to systematically query Salesforce’s REST API and extract CRM data at scale.
The intrusion followed a deliberate two-phase exfiltration pattern designed to evade detection:
- Phase 1 – Low-and-slow extraction: Attackers first enumerated each organization’s object catalog via
GET /services/data/v59.0/sobjects, then executed sustained looped REST API queries for nearly 24 hours, paginating through theQueryMorecursor to mimic legitimate integration traffic. - Phase 2 – Burst extraction: In at least one environment, nearly 1,000 queries were fired in a single 15-minute window, trading stealth for speed, likely signaling time pressure or a pivot toward high-value records. A separate incident involved sustained extraction lasting over 6 hours.
The CRM data potentially accessed through the integration included account records, contact details, deal outcomes, and proprietary pricing data, depending on how each organization had scoped the integration’s permissions.
ReliaQuest researchers noted that the attack methodology closely mirrors tactics associated with ShinyHunters and UNC6395, two threat clusters responsible for a series of high-profile Salesforce OAuth abuse incidents throughout 2025 and 2026.
In June 2025, ShinyHunters leveraged voice phishing (vishing) to trick enterprise employees into authorizing malicious connected apps, then bulk-extracted Salesforce data for extortion.
In August 2025, UNC6395 stole OAuth refresh tokens from the Salesloft Drift integration and used them to query and exfiltrate Salesforce data across hundreds of organizations, the closest public analog to the Klue incident.
However, ReliaQuest stopped short of formal attribution. Key technical differences exist: UNC6395 was previously used python-requests, Salesforce-CLI, and Tor infrastructure, whereas this campaign used a generic Python-urllib agent and data-center-hosted infrastructure.
Separate reporting has also surfaced a possible link to a threat cluster known as “Icarus,” which launched an extortion campaign following the Klue OAuth breach. No extortion demands or leak-site postings had been confirmed at the time of ReliaQuest’s publication.
The core vulnerability here is structural, not technical. Third-party SaaS integrations like Klue Battlecards operate as non-human identities that authenticate with valid credentials, hold persistent broad API access to sensitive data, and are almost never monitored with the same rigor as human user accounts.
Because the Klue service account was “trusted,” a 24-hour automated query loop ran undetected, generating no behavioral alerts that would typically flag a compromised employee account.
ReliaQuest’s GreyMatter platform correlated three otherwise low-fidelity signals an OAuth token refresh from an integration account, a sustained REST API query spike, and a sudden burst to nearly 1,000 queries in 15 minutes into a single intrusion narrative, demonstrating why API-layer visibility is critical in integration-heavy enterprise environments.
Indicators of Compromise (IOCs)
| Artifact | Type |
|---|---|
| 138.226.246[.]94 | IP Address |
| 212.86.125[.]24 | IP Address |
| 213.111.148[.]90 | IP Address |
| 94.154.32[.]160 | IP Address |
Immediate Remediation Steps
Organizations using Klue or any Salesforce-connected integration should take the following actions immediately:
- Revoke and rotate all credentials — including service-account passwords, OAuth refresh tokens, client secrets, and active OAuth grants; revoking the refresh token (not just resetting the password) is what severs persistent attacker access.
- Audit Salesforce REST API logs — hunt for abnormal query volumes, repeated
QueryMorepagination, Python-urllib user-agent strings, and access from unrecognized IP ranges. - Enforce IP allowlisting — restrict all connected app and SIEM/SOAR API access to approved, known infrastructure, blocking and alerting on any out-of-scope requests.
- Inventory all third-party OAuth connections — treat every connected app as part of your attack surface and enforce least-privilege scoping on all integration permissions.
ReliaQuest assessed that it is highly likely that threat actors will continue targeting Salesforce-connected third-party integrations through the remainder of 2026, warning that the OAuth-abuse playbook is “repeatable, effective, and now widely adopted”.
Frequently Asked Questions
Q1: What is the Klue Battlecards Salesforce breach?
Attackers compromised Klue’s OAuth integration service accounts to silently exfiltrate enterprise CRM data from Salesforce environments via automated REST API queries.
Q2: Has Salesforce been hacked directly?
No, Salesforce confirmed the issue is limited to Klue’s app connection and does not reflect any vulnerability within the Salesforce platform itself.
Q3: Who is behind the Klue Salesforce OAuth attack?
Attribution is unconfirmed; the attack resembles prior campaigns by ShinyHunters and UNC6395, with separate reporting linking it to a cluster called “Icarus,” but no definitive evidence has been published.
Q4: How can organizations protect Salesforce from OAuth integration attacks?
Revoke and rotate all OAuth refresh tokens and service-account credentials, enforce IP allowlisting on connected apps, audit REST API logs for anomalous activity, and apply least-privilege scoping to all third-party integrations.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
