Hackers Steal Salesforce CRM Data via Klue Breached Integration

Threat actors silently harvested enterprise CRM data by exploiting a trusted third-party SaaS integration. This incident marks the latest chapter in an escalating wave of OAuth-abuse attacks specifically targeting Salesforce ecosystems.

Researchers at ReliaQuest observed attackers leveraging a compromised Klue Battlecards integration, a competitive-intelligence platform that synchronizes battlecard and win/loss data with Salesforce, to exfiltrate large volumes of customer relationship management (CRM) data from enterprise environments.

In response, Salesforce has officially disabled the Klue Battlecards app’s connection to its platform pending further investigation, warning that the unusual activity “may have resulted in unauthorized access to a subset of customer data.”

Salesforce confirmed the issue is not a vulnerability within its own platform, but rather a compromise of Klue’s integration service account credentials.

The attackers authenticated through compromised Klue integration service accounts, generated OAuth tokens, and deployed automated Python scripts identifiable by Python-urllib user-agent strings to systematically drain CRM records via Salesforce’s REST API.

The attack followed a two-phase exfiltration pattern:

• Phase 1 – Slow extraction: Attackers first enumerated the organization’s object catalog via GET /services/data/v59.0/sobjects, then ran sustained looped REST API queries over nearly 24 hours, paginating results through the QueryMore cursor in a pattern designed to mimic legitimate integration traffic.
• Phase 2 – Burst extraction: In at least one environment, attackers sent nearly 1,000 queries within a 15-minute window, trading stealth for speed — suggesting either time pressure or a targeted pivot to high-value records. A separate incident saw sustained extraction lasting over 6 hours.

The CRM data accessible through the integration could include account records, contact details, deal outcomes, and pricing data, depending on how each organization scoped the integration’s permissions.

ReliaQuest researchers noted the attack methodology closely mirrors campaigns attributed to ShinyHunters and UNC6395, two threat clusters responsible for high-profile Salesforce OAuth-abuse incidents throughout 2025 and 2026.

• In June 2025, ShinyHunters used voice phishing to trick employees into authorizing malicious connected apps, then bulk-extracted Salesforce data for extortion.
• In August 2025, UNC6395 stole OAuth refresh tokens from the Salesloft Drift integration and queried Salesforce data across hundreds of organizations — the closest public analog to this incident.

However, attribution remains unconfirmed. Key differences exist: UNC6395 was previously used python-requests, Salesforce-CLI, and Tor infrastructure, while this activity used a generic Python-urllib agent and data-center hosting. No extortion demands or leak-site postings have been observed as of publication.

The core vulnerability here is structural. Third-party SaaS integrations function as non-human identities with persistent, often broadly scoped API access to sensitive data.

Because they authenticate with valid credentials, they rarely trigger the behavioral alerts associated with user account compromise, allowing a 24-hour automated query loop to run undetected from a “trusted” account.

ReliaQuest’s GreyMatter platform correlated the OAuth token refresh, sustained API query spikes, and burst extraction activity into a single intrusion narrative, demonstrating why API-layer visibility is critical in integration-heavy environments.

Organizations using Klue or any Salesforce-connected integration should act immediately:

• Revoke and rotate all credentials — including service-account passwords, OAuth refresh tokens, client secrets, and active OAuth grants. Revoking the refresh token, not just the password, is what terminates persistent access.
• Audit Salesforce REST API logs — hunt for unusual query volumes, repeated pagination, Python-urllib user-agents, and access from unknown IP ranges.
• Enforce IP allowlisting — restrict connected app and SIEM/SOAR API access to approved infrastructure only, blocking and alerting on all out-of-scope requests.

ReliaQuest assesses it is highly likely that threat actors will continue targeting Salesforce-connected third-party integrations through the remainder of 2026, warning that the OAuth-abuse playbook is “repeatable, effective, and now widely adopted.”

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.