Salesforce Disables Klue Battlecards App After OAuth Token Abuse Exposes Customer CRM Data
7 min. read 
Published on
Salesforce has disabled the Klue Battlecards app connection after suspicious activity tied to the integration may have exposed customer data. A Salesforce status alert says the issue is limited to Klue’s app connection and does not come from a vulnerability in the Salesforce platform.
Klue, a competitive intelligence and win-loss platform, said an attacker gained access through a compromised legacy credential linked to an integration service. In a public Klue security update, CEO Jason Smith said the attacker used that access to obtain OAuth tokens connected to third-party platforms, including Salesforce.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The stolen tokens were then used to access data inside some connected customer environments. Salesforce users cannot connect through the Klue Battlecards app until further notice, while Klue and affected customers continue their investigations.
What happened in the Klue Salesforce incident
The incident centers on OAuth tokens, which let trusted third-party apps access platforms such as Salesforce without asking users to log in again each time. When attackers obtain those tokens, they may be able to act as the trusted app until access is revoked.
According to Huntress, anomalous behavior began on June 11, and Klue later detected unauthorized activity affecting part of its integration infrastructure. Huntress said the attacker pushed a code update capable of collecting OAuth tokens used by Klue customers to connect Klue with their own systems.
Klue said it found the unauthorized activity on June 12 and took containment steps after discovering the incident. Those steps included revoking affected credentials and tokens, removing unauthorized code, disabling potentially affected integrations, launching a broader investigation, and notifying law enforcement.
| Key detail | What is known |
|---|---|
| Affected app | Klue Battlecards Salesforce integration |
| Main access method | Compromised OAuth tokens tied to Klue integrations |
| Salesforce platform vulnerability | No, Salesforce says the issue is limited to Klue’s app connection |
| Known data type | CRM and sales-related business data, depending on each customer’s integration scope |
| Status | Klue Battlecards connection to Salesforce disabled until further notice |
How attackers used the trusted app connection
ReliaQuest said attackers authenticated through a compromised Klue integration service account, generated OAuth tokens, and used automated Python scripts to pull CRM records through the Salesforce REST API.
The activity included object catalog enumeration through Salesforce API calls, followed by repeated queries against the Salesforce query endpoint. ReliaQuest said the activity looked like bulk data retrieval, not normal integration traffic.
The incident shows why trusted SaaS integrations need close monitoring. Obsidian Security described the attack as a SaaS supply chain access violation in which a legitimate integration became the access path for mass CRM data queries.
- Attackers obtained OAuth tokens through Klue’s integration infrastructure.
- They used those tokens to access connected customer Salesforce environments.
- They queried Salesforce data through API calls instead of logging in like normal users.
- The activity could bypass controls that focus mainly on employee accounts.
- Several affected companies said product systems and core platforms were not impacted.
Huntress, Recorded Future, and Jamf confirm impact
Huntress said data copied from its Salesforce account included business contacts, price quotes, and other sales-related data and messaging. The company said no threat data, passwords, payment card information, engineering data, agent telemetry, products, or infrastructure were affected.
Recorded Future said elements of its Salesforce account were impacted through a compromised OAuth token associated with its Salesforce and Klue integration. The company said the impact appeared limited to business data fields stored in Salesforce, such as client contact names, email addresses, and certain business contract information.
Jamf also confirmed that an unauthorized party gained access to its Salesforce instance data through Klue’s integration. Jamf said the incident did not affect its products or its ability to serve customers, and that the impact appeared mainly limited to business data fields within Salesforce.
| Company | Reported impact | Systems not reported as affected |
|---|---|---|
| Huntress | Business contacts, price quotes, and sales-related data | Products, passwords, payment cards, threat data, and engineering telemetry |
| Recorded Future | Business data fields in Salesforce, including some client contact and contract information | Core platform, Intelligence Graph, internal databases, and proprietary systems |
| Jamf | Salesforce business data fields | Products and customer service operations |
Icarus group claims responsibility
The extortion group Icarus later listed Klue on its leak site, according to the Huntress investigation. Huntress said the listing appeared to support attribution, although the full scope of the incident remains under investigation.
The attackers also contacted some Huntress employees by email, claiming Salesforce data had been downloaded and giving the company 48 hours to respond. Huntress said the messages appeared to come from infrastructure unrelated to Klue’s legitimate environment.
ReliaQuest said the activity resembles earlier third-party OAuth abuse campaigns that hit Salesforce environments through trusted SaaS connections. Its threat analysis said attribution remained uncertain at the time of publication, even though the playbook looked familiar.
Why OAuth token abuse is hard to spot
OAuth tokens often belong to non-human identities, such as connected apps or integrations. These accounts can have persistent access to sensitive systems, but many organizations monitor them less closely than employee accounts.
That gap matters because Salesforce may see the request as coming from a trusted integration. As Obsidian Security noted, attackers with a valid token do not need a password, MFA code, or successful phishing attempt to begin querying CRM records.
The risk depends on the permissions granted to the integration. If a connected app can read contacts, opportunities, pricing, notes, or contract details, a stolen token may expose those same records.
- Inventory all OAuth apps connected to Salesforce.
- Revoke and rotate tokens for Klue-connected Salesforce integrations.
- Review Salesforce API logs for high-volume query activity.
- Look for unusual user agents, including Python-based automation.
- Restrict integration access to known infrastructure where possible.
- Apply least-privilege permissions to all connected apps.
- Monitor non-human identities with the same urgency as privileged users.
What Salesforce and Klue customers should do now
Salesforce customers that used Klue Battlecards should assume the integration needs review, even if they have not yet received a direct notification. The first step is to confirm whether the Klue integration had Salesforce access and what data scopes it held.
The Salesforce notice says the Klue Battlecards connection has been disabled to protect customers. That limits new access through the app, but customers should still review historical activity and rotate affected credentials where needed.
The Klue incident update says the company is working with affected customers, sharing investigative findings, and reviewing its security controls, credential management, monitoring, and deployment processes. Klue also said it engaged CrowdStrike to support the investigation.
More companies warn about phishing risks
Recorded Future said there is no action required from its customers beyond basic cyber hygiene and continued vigilance for phishing or spam. Its customer update also said the incident did not affect its core platform or internal infrastructure.
Jamf warned customers that attackers may use contact information from Salesforce to support phishing campaigns. In its Klue incident notice, Jamf urged users to be careful with unexpected messages and avoid sharing sensitive information or credentials with unknown senders.
For security teams, the incident adds another warning about SaaS supply chain exposure. A single trusted integration can become a broad access point when tokens, credentials, and API permissions do not receive enough scrutiny.
FAQ
Salesforce disabled the Klue Battlecards app connection after suspicious activity involving the integration may have exposed customer CRM data. Klue said attackers used a compromised legacy credential to obtain OAuth tokens for third-party platforms, including Salesforce.
No. Salesforce said the issue was limited to Klue’s app connection and did not arise from a vulnerability in the Salesforce platform.
The exposed data varied by customer and depended on the permissions granted to the Klue integration. Confirmed reports mention CRM-related business data such as contact details, business names, pricing information, sales records, opportunity data, and contract-related information.
Huntress, Recorded Future, and Jamf publicly confirmed impact tied to the Klue integration incident. Each company said the known impact was limited to Salesforce or business data fields, not core products or major internal systems.
Salesforce customers that used Klue should review connected app permissions, revoke and rotate OAuth tokens, examine Salesforce API logs for unusual query activity, check known indicators from Klue, and limit integrations to least-privilege access.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages