June 22, 2026supply chain attacks

How a forgotten service account credential let attackers harvest OAuth tokens from hundreds of companies' Salesforce environments

A credential nobody remembered existed unlocked authenticated access to the Salesforce environments of hundreds of companies simultaneously. No software vulnerability was exploited. No employee was phished. No brute-force attack was run. The entry point was a service account that Klue, a competitive intelligence software company, had created for a prototype integration project, then abandoned without ever deactivating. Attackers found it, used it, and were inside Klue's infrastructure before anyone noticed.

What happened next is the part that should concern every organization that connects a SaaS tool to its CRM. Once inside, the attackers did not hunt for stored tokens. They pushed a malicious code update into Klue's integration layer, positioning it at the exact point where OAuth tokens are created and exchanged as customers' Klue integrations authenticate to Salesforce. The code intercepted those tokens in bulk, in real time, as they flowed through the system. Klue's own platform became the harvesting machine.

With valid OAuth tokens in hand, the attackers authenticated to victim Salesforce environments as the legitimate Klue integration account. From Salesforce's perspective, the token was valid and the access was authorized. Automated scripts then ran nearly 1,000 queries in a single 15-minute burst, sustaining extraction for over six hours across an approximately 24-hour window. At least ten named organizations, including Huntress, HackerOne, Recorded Future, Tanium, and Jamf, confirmed their Salesforce CRM data was exfiltrated. Klue serves more than 250,000 users and has not disclosed the total number of affected customers.

🟡 Level 2

Read the narrative

How the attack unfolded, phase by phase.

6 min read

🔴 Level 3

Go deeper

Technical mechanism, CVE, ATT&CK mapping, primary sources.

4 min read

Does this apply to you?

If your organization connects any SaaS tool to your Salesforce environment via OAuth, you may have a direct exposure to this class of attack: a breach at the SaaS vendor, not at Salesforce, can produce valid tokens that authorize bulk access to your CRM data. If that SaaS vendor also integrates with your Gong, HubSpot, Slack, or SharePoint accounts, your blast radius extends to every platform connected through that vendor's integration layer, potentially including sales communications, contract data, and customer contact records. This pattern applies to any integration platform where a third-party vendor holds OAuth tokens on your behalf, not just Klue or Salesforce. You should check whether your Salesforce environment has API-layer logging enabled and whether you have alerts configured for anomalous query volume from integration accounts. If neither is in place, bulk exfiltration through a compromised integration could be invisible until the attacker tells you about it.

Narrative · 6 min read

The Context

Klue is a competitive intelligence platform used by sales and marketing teams to track competitor activity and share it internally through Battlecards. To do its job, Klue integrates directly with tools sales teams use every day: Salesforce, HubSpot, Gong, Slack, SharePoint, and others. Those integrations require Klue to hold OAuth tokens — the digital keys that authorize one software system to act on behalf of another. Klue serves more than 250,000 users worldwide and hundreds of enterprise customers, many in the technology and cybersecurity sectors.

The breach was detected on June 12, 2026, and Klue began containment the same day. By June 13, Klue had revoked credentials and disabled integrations platform-wide. The exfiltration had already occurred.

Key terms

OAuth token: A digital key that lets one software system access another on your behalf, without sharing your password. When Klue connects to your Salesforce account, it uses an OAuth token to prove it has permission to read your data.
Service account: A non-human account created to let software systems authenticate and communicate with each other. Unlike a user account, no person logs into it daily, which means it can go unnoticed and unaudited for years.
Integration layer: The software infrastructure that manages connections between platforms. When your Salesforce data syncs with another tool, it passes through an integration layer that handles authentication and data transfer.
REST API: A standard method for software systems to request and exchange data over the internet. Salesforce exposes a REST API that authorized applications use to read and write CRM records.
SaaS supply chain attack: An attack that targets a software vendor you trust, rather than your own systems directly. By compromising the vendor, attackers inherit the vendor's authorized access to your environment.

The Attack, Phase by Phase

Phase 1: Initial Access via Forgotten Credential

The attack began with a credential that had outlived its purpose. Klue had created a service account to prototype a third-party integration the company later decided not to build. The prototype was abandoned, but the credential was never decommissioned or rotated. It remained active, valid, and unmonitored.

Attackers obtained this dormant credential and used it to authenticate to Klue's backend integration infrastructure on June 11, 2026. There was no zero-day exploit, no phished employee, no brute-force attack. The credential worked because nobody had thought to revoke it.

Phase 2: Code Injection and Token Harvesting

With a foothold inside Klue's infrastructure, the attackers pushed a malicious code update into Klue's integration layer — positioned at the authentication handshake point, the moment where OAuth tokens are created and exchanged as customers' integrations authenticate to Salesforce and Gong.

As each customer's integration authenticated normally, the injected code intercepted and copied the token. The attackers did not need to compromise each customer individually. They turned Klue's own platform into a collection mechanism, harvesting tokens for dozens of downstream environments simultaneously between June 11 and 12.

Phase 3: Automated CRM Exfiltration via Salesforce REST API

Armed with valid OAuth tokens, the attackers authenticated to victim Salesforce environments as the legitimate Klue integration account. From Salesforce's perspective, the token was valid, the access was authorized, and the session looked like normal Klue activity.

Automated Python scripts queried the Salesforce REST API, executing nearly 1,000 queries in a single 15-minute burst and sustaining extraction windows of over six hours across an approximately 24-hour total window. The only anomaly visible in Salesforce logs was that the source infrastructure had no connection to Klue's known legitimate environment — detectable only with API-layer logging in place. Organizations without it would have seen nothing unusual.

The stolen data included business contacts, sales communications, price quotes, opportunity notes, account records, and in some cases contract information. Gong confirmed internal user data including names, titles, and email addresses was accessed. Recorded Future described its exposure as limited to client contact names, email addresses, and possibly some contract information.

Phase 4: Extortion Campaign and Public Disclosure

Beginning June 16, the Icarus extortion group sent emails to affected organizations with the subject line "top secret email," warning that Salesforce data had been downloaded and giving recipients 48 hours to respond. The emails were routed through compromised mail servers belonging to Global Retail Brands, an Australian retailer. Huntress traced Session Messenger identifiers in the emails to the Icarus dark web leak site and reported the activity to the Australian Cyber Security Centre.

Salesforce disabled the Klue Battlecards integration platform-wide on June 17. Klue CEO Jason Smith published a public statement on June 18. Icarus officially listed Klue as a victim on June 19. By June 22, the confirmed victim list included HackerOne, Huntress, Jamf, Recorded Future, Tanium, Snyk, OneTrust, Sprout Social, Gong, and Insurity.

What Made This Possible

Unmanaged service account credentials. The entry point was a credential created for a project that no longer existed. Organizations routinely create service accounts for integrations, proofs of concept, and vendor evaluations, and rarely audit whether those accounts are still needed. A credential that is never rotated and never reviewed is a permanent open door.
Trusted integration access with no behavioral monitoring. OAuth tokens grant broad, persistent access to enterprise data. Klue's integration had legitimate authorization to query Salesforce on behalf of its customers, but nothing in that authorization model required queries to look like normal integration traffic. Bulk extraction at 1,000 queries in 15 minutes was only distinguishable from routine activity if someone was watching API-layer logs for anomalous volume.
Single-vendor blast radius across hundreds of environments. Klue's position as a shared integration layer meant one compromised credential at one vendor produced authenticated access to hundreds of downstream customer environments simultaneously. No customer had done anything wrong. Their Salesforce security controls were intact. The problem was upstream, in a system they did not control and could not monitor.

What Should Have Stopped This

Credential lifecycle management: Service accounts should be inventoried, reviewed on a schedule, and deactivated when the project they were created for ends. This is the control that would have prevented initial access entirely.
OAuth token scoping and expiration: Tokens scoped to specific data objects and set to expire limit what an attacker can do even with a valid token. Broad, long-lived tokens amplify the damage of any compromise.
API-layer logging and anomaly detection: Salesforce's Event Monitoring feature logs API activity including query volume, source IP, and user-agent strings. Organizations with this logging enabled would have seen nearly 1,000 queries in 15 minutes from an unfamiliar IP range. This is a configuration choice, not a platform limitation.
Third-party integration audits: Organizations should periodically review which SaaS tools hold OAuth tokens to their Salesforce environment, what permissions those tokens carry, and whether the integration is still actively used. Tokens for inactive integrations should be revoked.

The Takeaway

This is the same class of failure as the Stryker Intune wipe: a trusted management tool weaponized against the organizations it was built to serve. The mechanism is identical — an attacker inherits the vendor's authorized access and uses it at scale. The meta-pattern: systems fail when they trust a boundary the attacker controls.

This is also the third major Salesforce ecosystem supply chain breach in under a year, following the Salesloft Drift and Gainsight compromises. ReliaQuest described the OAuth-abuse playbook as "repeatable, effective, and now widely adopted" and predicted repeat attacks for the remainder of 2026. The playbook works because it requires no vulnerability, no phishing, and no perimeter breach — only a forgotten credential and a trusted integration.

Pattern to remember: A SaaS vendor with OAuth access to your data is a security boundary you do not control, and a breach at that vendor is a breach of your data.

What changed: Attackers can now extract an entire CRM without touching the CRM provider's infrastructure, by compromising the integration vendor that holds the keys on your behalf.

Technical Deep Dive · 4 min

The Technical Mechanism

The Klue breach is a SaaS supply chain attack executed in three technical stages: credential reuse for initial access, code injection at the OAuth token exchange point, and automated bulk exfiltration via the Salesforce REST API.

Initial access was achieved using a dormant service account credential. The credential was associated with a Klue prototype integration that had been abandoned but never decommissioned. No CVE applies to this stage. The credential was valid and the authentication succeeded through normal means.

Token harvesting was accomplished by pushing a malicious code update into Klue's integration layer. The code was positioned at the OAuth handshake, intercepting tokens as they were minted during customer integration authentication flows. This is consistent with a server-side code injection into a middleware component, though Klue has not publicly disclosed the specific mechanism by which the code update was pushed or the language or framework of the integration layer. The injected code harvested OAuth tokens for Salesforce and Gong integrations across Klue's customer base.

Exfiltration was executed using automated Python scripts identified by user-agent strings Python-urllib/3.12 and Python-urllib/3.14. The scripts queried the Salesforce REST API endpoint /services/data/v59.0/query/ using the harvested OAuth tokens. Query volume reached approximately 1,000 requests in a 15-minute window, with sustained extraction periods exceeding six hours across an approximately 24-hour total window. Login events were recorded in Salesforce audit logs but originated from infrastructure inconsistent with Klue's known legitimate environment, specifically data-center hosting with no connection to Klue's normal IP footprint.

No CVE has been assigned to this attack. The vulnerability class is credential management failure (ungoverned service account lifecycle) combined with insufficient OAuth token scoping and absent API behavioral monitoring.

CVE and Advisories

No CVE has been assigned to this incident. The attack did not exploit a software vulnerability in Salesforce, Klue's published application, or any third-party platform. The root cause is a credential management and access governance failure.

Salesforce issued a platform notice on June 17, 2026, when it disabled the Klue Battlecards integration, explicitly clarifying that the issue was limited to Klue's app connection and did not arise from a vulnerability in the Salesforce platform. No Salesforce advisory ID has been published.

MITRE ATT&CK Mapping

Technique ID	ATT&CK name	How it appeared
T1078.004	Valid Accounts: Cloud Accounts	Attackers used a dormant but valid Klue service account credential to authenticate to Klue's backend integration infrastructure.
T1556	Modify Authentication Process	Malicious code was injected into Klue's integration layer at the OAuth token exchange point to intercept tokens as they were minted.
T1528	Steal Application Access Token	OAuth tokens for customer Salesforce and Gong integrations were harvested in bulk via the injected code.
T1530	Data from Cloud Storage	Automated scripts queried the Salesforce REST API to extract CRM records including contacts, quotes, opportunity notes, and contract data.
T1567	Exfiltration Over Web Service	Data was exfiltrated via the Salesforce REST API endpoint using valid OAuth tokens, making the traffic appear as legitimate integration activity.
T1657	Financial Theft	Icarus sent extortion emails to affected organizations demanding contact within 48 hours to prevent publication of stolen data.

Indicators of Compromise

Detection of this attack at the victim layer required Salesforce API-layer logging to be enabled. Organizations without Salesforce Event Monitoring in place had no visibility into the exfiltration as it occurred.

Network Indicators

User-agent strings Python-urllib/3.12 and Python-urllib/3.14 in Salesforce API logs
Source IP infrastructure inconsistent with Klue's known legitimate environment
Data leak file hosting IP from AS200593, registered under PROSPERO OOO (Russian Federation), flagged with a Censys BULLETPROOF designation per Huntress

Behavioral Indicators

Anomalous query volume against /services/data/v59.0/query/ from integration service accounts: approximately 1,000 queries in 15 minutes is not consistent with routine integration traffic
Sustained API sessions exceeding six hours from integration accounts
Login events in Salesforce audit logs from IP ranges with no prior association to the named integration vendor

Detection Limitation

Organizations that did not have Salesforce Event Monitoring enabled would have no log evidence of the exfiltration. The OAuth tokens used were valid, the API calls were authorized, and the activity was indistinguishable from legitimate integration traffic without volume-based anomaly detection at the API layer.

Attribution

The attack is attributed with high confidence to Icarus, a relatively new extortion group that claims to have been active since April 28, 2026. Before the Klue campaign, Icarus had listed only two prior victims on its dark web leak site. Icarus officially claimed the attack on June 19, 2026.

Huntress independently linked Icarus to the extortion emails by matching Session Messenger identifiers in the ransom notes to identifiers on the Icarus leak site. The extortion emails were sent under the alias "mr bean" and routed through compromised mail servers belonging to Global Retail Brands, an Australian retailer. Huntress reported this activity to the Australian Cyber Security Centre.

On June 21, 2026, ShinyHunters published a Telegram post claiming responsibility for the Klue breach and including a Session Messenger ID attributed to Icarus. Both BleepingComputer and Huntress note there is no confirmed evidence linking Icarus to ShinyHunters. ReliaQuest noted the activity resembles the 2025-2026 third-party OAuth-abuse campaigns attributed to ShinyHunters and UNC6395 (Salesloft Drift, Gainsight), but the Klue attack used a generic Python-urllib user-agent and ordinary data-center hosting rather than the Tor-routed, custom-toolchain tradecraft associated with UNC6395. No nation-state link has been identified.

Attribution to Icarus: high confidence. Any link to ShinyHunters: unconfirmed.

Primary Sources

01.
Cybercrime Breaches Klue: Salesforce Data Impacted for Many Victims, including Huntress
Huntress · June 18, 2026
02.
Threat Spotlight: Integration Abused in CRM Data Theft
ReliaQuest · June 21, 2026
03.
Klue OAuth breach victim list grows as Icarus hackers claim attack
BleepingComputer · June 19, 2026
04.
Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data
The Hacker News · June 21, 2026
05.
Klue breach exposed Salesforce CRM data through stolen OAuth tokens
CSO Online · June 22, 2026
06.
Klue hack results in data breach at several cybersecurity firms
TechCrunch · June 22, 2026
07.
The Trusted Integration That Wasn't: Inside the Klue SaaS Supply Chain Attack on Salesforce
Obsidian Security · June 18, 2026