Third-Party App Compromises Fuel Ongoing Salesforce Data Theft Spree

Salesforce data thefts have escalated again with the compromise of Klue's Battlecards app, marking the third integrated application abused in a growing pattern of OAuth token attacks against the CRM giant's customers. The breach, disclosed on June 17, 2026, saw Salesforce suspend its integration with Battlecards after detecting unusual activity that led to unauthorized data access via the app's connection.

ReliaQuest researchers confirmed that threat actors used compromised Klue OAuth tokens to exfiltrate customer data, executing a concentrated burst of nearly a thousand queries in 15 minutes against at least one environment. The attackers automated Python scripts to pull data via the Salesforce REST API over approximately 24 hours, with sustained exfiltration lasting more than six hours.

OAuth Abuse Playbook Repeats Across Third-Party Integrations

The attack followed the same pattern as the Salesloft Drift and Gainsight compromises that rattled Salesforce ecosystems throughout 2025 and 2026. According to ReliaQuest, threat actors authenticated through a compromised Klue integration service account, generated OAuth tokens, and accessed integrated Salesforce instances. The attackers then used a slow, steady pull to blend in before a burst of speed to extract targeted records.

• Klue's compromise began on June 11 with anomalous behavior in a system connecting to other software platforms.
• Attackers pushed a code update capable of collecting OAuth tokens Klue customers use to connect to their own systems.
• The breach stemmed from a long-disused but still active credential initially created for a third-party integration that was never deployed.
• Huntress confirmed attackers copied business contacts, price quotes, and other sales-related data.
• At least one environment saw a concentrated burst of nearly a thousand queries in 15 minutes.

Broader Implications for SaaS Security and Supply Chain Trust

The attacks underscore a fundamental vulnerability in the software-as-a-service ecosystem: trusted integrations remain a high-value yet little-monitored route to sensitive data. Huntress described the incident as a major supply chain attack, noting that Klue's backend system for market intelligence was breached. The cybersecurity vendor credited Klue for its fast response and forthcoming updates, but the pattern of OAuth abuse suggests the industry's speed obsession has enabled threat actors to exploit integration trust models.

As Salesforce customers assess their exposure, the incident joins a broader trend of attackers targeting cryptocurrency wallets via USB worms and fake GitHub stars, as well as hijacking legitimate news websites to promote malware. The reliance on third-party OAuth tokens, combined with the industry's prioritization of code shipping over security, has created a misleading impression of safety that experts warn will continue to fuel data thefts.