Salesforce Disables Klue App After OAuth Token Theft Exposed Customer Data

What happened

Salesforce temporarily turned off the Klue Battlecards integration after its security team spotted suspicious activity that could have let attackers reach some customer records via the app connection. The issue appears to be tied to Klue’s integration plumbing rather than a flaw in Salesforce itself.

The intrusion began when a threat actor used a forgotten-but-still-active credential belonging to Klue’s integration infrastructure. That credential let the attacker move inside Klue and grab a stash of OAuth tokens that Klue used to connect to customers’ systems, including Salesforce. Once the tokens were in hand, the bad actor queried connected CRM environments and exfiltrated sales-related data from some customers. One victim reported that things like business contacts and price quotes were taken, while sensitive items like passwords and payment card data were not impacted.

The group claiming responsibility — calling itself Icarus — has been linked to the leak and tried to extort at least some victims. Analysis from security researchers found the attacker automated the theft with scripts that enumerated Salesforce objects, paginated through query results, and performed a high volume of requests over hours to pull as much CRM data as possible.

Why this matters and what to do

This incident is a classic example of how third-party integrations can become the weakest link. Those integrations act as non-human identities with often broad, persistent permissions, yet they tend to be monitored less strictly than employee accounts. When an integration is compromised, an attacker can launch long-running, automated data grabs without the usual human-user alarms.

Actions Klue reported taking:

• Revoked the affected credentials and tokens.
• Removed unauthorized code and blocked remote access.
• Disabled potentially impacted integrations and launched a full investigation.
• Communicated directly with affected customers to help with incident response.

Recommended steps for organizations using third-party integrations:

• Audit integration accounts and remove any long-unused or prototype credentials — those old keys are a favorite backdoor for attackers.
• Enforce least privilege for integrations and rotate credentials and tokens regularly.
• Monitor API usage for abnormal patterns (bursts of queries, strange user-agent strings, or long automated pagination loops).
• Require multi-party approval or scoped permissions for third-party connections where possible.
• Have a playbook for revoking tokens and isolating connected systems quickly when a vendor reports a compromise.

Security firms noted the techniques here echo previous incidents that abused third-party OAuth integrations to reach Salesforce environments. Whether you call it karma or just bad luck, the takeaway is the same: if you trust a vendor connection, treat it like an administrator and watch it closely.

If your organization uses Klue or similar tools, check your integration logs, rotate any service credentials, and coordinate with your vendor to confirm all tokens and keys have been revoked.