CyberSecurityBoardThreat Intel · CVEs · Products
Cyber News

Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data

June 25, 2026

Salesforce disabled the Klue Battlecards app integration after detecting unusual activity that led to unauthorized access to customer data via OAuth token abuse. The incident, which occurred on June 11, 2026, involved an extortion group named Icarus compromising Klue’s integration infrastructure using a compromised legacy credential. Attackers obtained OAuth tokens to access Salesforce environments of multiple Klue customers, including cybersecurity firm Huntress. Exfiltrated data included business contacts, price quotes, and sales-related information, but no threat data, passwords, or payment card details. Klue revoked affected credentials and tokens, removed unauthorized code, and launched an investigation. ReliaQuest noted similarities to previous OAuth abuse attacks targeting Salesforce environments. Icarus has listed data for Huntress and other companies on its leak site, with files hosted on a Russian bulletproof hosting provider. The incident underscores the risk of third-party OAuth token abuse in SaaS supply chain attacks.

CVEs: CVE-2026-11645

Attack groups: Icarus, ShinyHunters, UNC6395

Companies: Salesforce, Klue, Huntress, ReliaQuest, Jamf, Recorded Future, Tanium, Gong, Insurity, Sprout Social, OneTrust, HackerOne

Products: Klue Battlecards, Salesforce REST API

Service providers: PROSPERO