A breach involving competitive intelligence platform Klue is shaping up to be another reminder that sometimes the easiest way into an organization is through a trusted third party.
Huntress and others confirm CRM data exposure
This week, cybersecurity vendor Huntress confirmed it was among several companies affected after attackers compromised Klue and used stolen OAuth credentials to access customer Salesforce environments.
Other impacted organizations have also begun issuing statements as investigators continue to work through the scope of the incident.
According to Huntress, the compromise was limited to CRM-related information and did not affect its products, infrastructure, telemetry, passwords, or payment card data.
“We would like to reiterate that NO Huntress products, infrastructure, telemetry, passwords, or payment card data were impacted,” the company wrote in an update posted June 19.
How attackers used Klue OAuth credentials
Based on information shared by Huntress, the attack began when threat actors gained access to Klue systems and deployed code to harvest OAuth tokens used to connect Klue to customer platforms. Those tokens were then used to access customer environments directly.
Klue disabled OAuth credentials and temporarily shut down integrations with several major platforms, including Salesforce, HubSpot, SharePoint, Zoom, Slack, Google Drive, Gong, Chorus, and Clari, while investigating the incident.
From there, it seems as though attackers used the stolen credentials to dig through customer CRM data. Huntress stated that the information potentially affected in its Salesforce environment includes business contacts, pricing quotes, subscription details, sales communications, and internal opportunity notes.
The company described the incident as “a case of the security domino effect,” where one compromise triggered a series of follow-on compromises across multiple organizations.
Things escalated further when some Huntress employees received emails claiming their data had been downloaded and demanding contact within 48 hours.
Meanwhile, a ransomware group known as Icarus has listed Klue on its leak site, although no data download links had been posted as of Huntress’ latest update.
Salesforce disables the Klue Battlecards app
While investigators are still picking through exactly who was affected and how much data was accessed, the attack itself isn’t entirely new.
Researchers at ReliaQuest say the attackers used compromised Klue integration accounts to generate OAuth tokens, then used automated scripts to pull Salesforce data through legitimate API connections.
Salesforce has since disabled the Klue Battlecards app and said the issue originated from compromised integration credentials, not a flaw in Salesforce itself.
What makes incidents like this a teeny bit tricky is that nothing necessarily looks broken at first. The attackers weren’t forcing their way in through some glaring vulnerability. They were using trusted connections that already had permission to access data.
Third-party integrations expand SaaS risk
Many organizations have spent years tightening controls around employee accounts, but third-party integrations often end up with broad access and far less scrutiny. When one of those connections gets compromised, the blast radius can get surprisingly large.
As Huntress noted in its initial disclosure, “The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales-related data and messaging. No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected.”
What MSPs and partners should know
For MSPs and channel partners, the incident highlights a growing challenge in managing the expanding web of SaaS integrations connecting customer environments.
Many service providers rely on third-party platforms to automate sales, marketing, support, and business operations, but those integrations often receive broad permissions that can persist for years without review.
The Klue breach may prompt MSPs to take a closer look at OAuth governance, third-party application inventories, and access reviews across customer environments.
As attackers increasingly target software vendors and service providers as indirect paths into enterprise data, visibility into connected applications is becoming just as important as securing user accounts themselves.
This isn’t the first time Salesforce-connected integrations have landed in the spotlight. In 2025, attackers used compromised OAuth tokens associated with the Salesloft Drift platform to access customer data across multiple organizations, prompting Salesforce to disable the application’s connection entirely.