Klue OAuth Breach Exposes Salesforce CRM Data at Multiple Enterprises

Threat actors exploited a compromised OAuth token in Klue's Battlecards integration to silently harvest Salesforce CRM data from enterprise environments. Salesforce disclosed the incident on June 17 and has since disabled the Klue Battlecards app across all affected customer instances.

The breach demonstrates how third-party SaaS integrations become attack vectors—even when the primary platform remains secure.

What Happened

According to Dark Reading's reporting, attackers obtained a long-lived OAuth refresh token associated with a deprecated integration between Klue and Salesforce. Using this token, they queried Salesforce's REST API through legitimate channels that security monitoring often overlooks.

The attack chain began with object catalog enumeration, mapping available Salesforce objects via the standard /services/data/v59.0/sobjects endpoint. Attackers then looped REST API queries against the query endpoint, paginating through results using QueryMore cursors for nearly 24 continuous hours.

This is the kind of low-and-slow exfiltration that blends with normal API traffic. Without specific monitoring for bulk data access patterns, security teams have little visibility.

Confirmed Victims

Huntress, the endpoint security vendor, confirmed on their blog that they lost CRM data in the attack. Several other companies report that data associated with Salesforce and Gong integrations was successfully exfiltrated.

The full victim list hasn't been disclosed, but any organization using Klue Battlecards with Salesforce integration should assume potential exposure and audit their logs.

OAuth Token Compromise

The root cause traces to a "dormant" OAuth token—credentials from a deprecated integration that remained valid long after the integration itself stopped being used. This is a common problem: organizations add SaaS integrations, forget about them, and never revoke the associated credentials.

OAuth tokens don't expire by default in many implementations. A token issued in 2023 for a pilot project can still authenticate in 2026 if no one explicitly revokes it. Attackers who compromise any part of that integration's supply chain inherit all its permissions.

Salesforce's Response

Salesforce has disabled the Klue Battlecards app connection across all customer environments as a containment measure. Organizations cannot re-enable the integration until Klue completes its security review and implements additional controls.

For customers needing competitive intelligence functionality, this creates operational disruption alongside the security incident.

Lessons for Security Teams

This breach follows a pattern we've seen repeatedly with OAuth-based attacks against enterprise SaaS. Defense requires:

1. Regular OAuth token audits - Review all third-party app connections quarterly
2. Remove dormant integrations - If an app hasn't been used in 90 days, revoke its tokens
3. API access monitoring - Alert on bulk data queries, especially from third-party apps
4. Scope minimization - Grant integrations only the permissions they actively need

Why This Matters

CRM systems hold customer contact information, deal pipelines, conversation histories, and competitive intelligence. Exfiltrating this data enables targeted phishing, competitive espionage, and follow-on attacks against the breached company's customers.

The attack didn't require exploiting any vulnerability—just inheriting a valid token from a compromised integration partner. As organizations connect more SaaS applications, each integration becomes a potential entry point that security teams must continuously monitor.

Review your Salesforce connected apps today. Any integration you don't recognize or haven't used recently should be disconnected immediately.