A new supply chain attack has targeted companies using Salesforce. Attackers compromised a third-party application integration, Klue Battlecards, to access and steal customer data. Salesforce disabled the app’s integration infrastructure on 17 June 2026 to stop unauthorised access, clarifying that the issue was limited to Klue and not a vulnerability in the Salesforce platform itself.
“Our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce. This issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform,” Salesforce’s alert reads.
How the Breach Happened
Cybersecurity firm Huntress found that the initial breach occurred on 11 June, noting that attackers entered Klue’s backend system by exploiting an old, unused testing credential that was still somehow active. Once inside, they deployed a malicious code update to harvest OAuth tokens. These tokens allow applications to share data smoothly without requiring repeated logins, and because of this, hackers easily bypassed standard authentication controls like multi-factor authentication.
From there, the attack moved fast. Security firm ReliaQuest’s investigation showed that the hackers used automated Python scripts via the Salesforce REST API to fetch data in bulk over a 24-hour window. This included a heavy burst of nearly 1,000 queries in just 15 minutes and sustained data theft lasting over six hours in some networks.
Klue detected this unusual activity on 12 Jun and quickly deactivated the compromised tokens. The firm prevented the damage from spreading further by turning off integrations with other major apps. This includes HubSpot, Microsoft SharePoint, Zoom, Google Drive, and Slack.
However, despite these efforts, several tech and security firms confirmed their Salesforce data was copied during the window of vulnerability. Impacted companies include Huntress, Jamf, Recorded Future, Tanium, Gong, Insurity, and Sprout Social. The compromised files consist of commercial data like business contacts, price quotes, email addresses, and sales messages. It is worth noting that corporate passwords, payment details, and core software telemetry data weren’t impacted.
A crucial detail from Huntress’ investigation is that a new extortion group named Icarus is behind this campaign. This group has reportedly been active since April 2026. On 16 June, Huntress received an email demanding a ransom within 48 hours to prevent the leak of the stolen files. The email contained a Session Messenger ID that matched the Icarus dark web leak site, and the group officially listed Klue as a victim on 19 June 2026.
Connection to Past Salesforce Intrusions
ReliaQuest researchers noted that this technique is similar to several previous integration attacks. Hackread.com has been reporting these incidents and has also observed that these followed the same pattern of stealing third-party digital keys to bypass corporate security barriers.
In August 2025, a data theft campaign by threat actor UNC6395 involved using compromised Salesloft Drift tokens to export large volumes of data from over 700 Salesforce accounts while hunting for AWS and Snowflake access keys. Later, in November 2025, the ShinyHunters cybercrime group stole Gainsight access tokens to steal bulk data from customer environments.
As these third-party integration attacks continue to target enterprises, with the latest victim being Klue, security teams are advised to remain cautious. To secure affected environments following this latest incident, security teams are advised to immediately revoke and reissue all passwords and OAuth grants linked to the Klue platform.
