Klue Confirms Breach Exposed CRM Data Across Integrations

‘Beyond Klue, we’re seeing the industry grapple with the unsettling reality that our privacy is under attack as long as criminals won’t settle for less than the breach de jour,’ says Huntress CEO Kyle Hanslovan.

Hacker attack computer hardware microchip while process data through internet network, 3d rendering insecure Cyber Security exploit database breach concept, virus malware unlock warning screen

Market intelligence platform Klue has publicly confirmed a breach into its integration infrastructure resulting in a threat actor accessing data within Salesforce and other third-party sales data platforms, which includes accessing the sales data of some leading security vendors who are Klue customers.

Jason Smith, CEO of Vancouver, British Columbia-based Klue, said in an online post last Friday that the vendor had been publishing updates for customers through its support center, direct emails and one-on-one meetings after identifying unauthorized activity on June 12. But his post marks Klue itself detailing the problem and investigation to the public after third-party security companies started publishing reports on the breach.

“As we work with our partners to understand the scope and impact of this incident, we are committed to communicating what happened and how we can protect one another and the broader ecosystem,” Smith said.

[RELATED: AI Let ‘Unsophisticated’ Hacker Breach 600 Fortinet Firewalls, AWS Says, As AI Lowers ‘The Barrier’ For Threat Actors]

Klue Breach Exposes Integration Risks Across SaaS Ecosystem

CRN has reached out to Klue for additional comment.

John Snyder, CEO of Durham, N.C.-based solution provider Net Friends, which uses Huntress, told CRN in an interview that based on the initial reports about the breach, the data accessed is relatively low level.

He did not see evidence at the time that the breach had any impact on Net Friends or his customers and that he does not normally put highly important data in software-as-a-service (SaaS) and customer relationship management applications.

“I don’t mean to come across as jaded, but there are so many of these (breaches),” Snyder said, echoing the Huntress CEO’s sentiment. “This does look like they got a whole bunch of normal CRM data.”

OAuth Token Compromise Enables Salesforce Data Access

Klue’s Friday post acknowledging the incident said that an attacker accessed data within a number of connected customer environments through OAuth tokens the attacker received through a compromised legacy credential associated with an integration service.

The attacker has only impacted third-party platforms and does not appear to have impacted customer content stored within the Klue platform, according to the vendor’s investigation so far. Klue has revoked affected credentials and tokens, removed unauthorized code, disabled potentially impacted integrations, launched an investigation, notified law enforcement and put out remediation guidance with affected customers as part of its response.

Klue has engaged CrowdStrike to support the investigation and validate its response, Smith said. Klue is also reviewing its security controls, credential management practices, monitoring capabilities and deployment processes with plans to implement additional safeguards where needed.

Smith added that in the age of connected software and interoperability for multi-vendor environments, a single compromise can hit multiple organizations.

“The only way we beat these threats is by working together and sharing information and strategies,” Smith said. “That context doesn’t change our accountability. As this story unfolds, we will continue to share relevant details with our customers and help build a more resilient and secure community together.”

Salesforce published a post online last Wednesday saying that it disabled the connection between the Klue Battlecards application, installed by individual customers, and Salesforce in response to the security incident.

Before Smith’s post, a variety of security vendors published reports on a breach. Huntress, Recorded Future, Tanium and Jamf are among the vendors to say they were impacted by the breach.

Huntress said in its report on the breach that the threat actor did not impact Huntress products, infrastructure, telemetry, passwords or payment card data.

The threat actor may have accessed business names, products trialed, products used, subscription pricing and other details, work emails, job titles, phone numbers, business addresses, marketing and sales communications, sales workers’ notes on business opportunities and other data captured in Salesforce.

Huntress CEO Kyle Hanslovan told CRN in an email that “beyond Klue, we’re seeing the industry grapple with the unsettling reality that our privacy is under attack as long as criminals won’t settle for less than the breach de jour.”

“Commentary online clearly shows we’re all fatigued, and we as an industry may have to start reassessing exactly what data is expendable and what cannot be lost,” Hanslovan said. “If anything, I hope this helps rally law enforcement to impose real-world costs to those conducting these crimes."

Huntress’ investigation points to a new extortion group dubbed “Icarus” as potentially associated with the breach but said that it is not engaging with the threat actor.

The threat actor copied data from Huntress’ Salesforce account, including business contacts, price quotes, tasks and other sales-related data and communications, according to Huntress.

Huntress did not find any impact on its products and infrastructure or compromise of its customers’, partners’ or employees’ credentials. Huntress has not seen indication that the threat actor accessed payment information, according to the report.

“We at Huntress have been a constant advocate of the mantra it’s not a matter of if, or even when, an incident occurs—but how you respond,” the company said in an online post about the breach last Thursday. “We want to be transparent about a major supply chain attack that happened this week, which impacted us and other organizations. It supports our core values to put the community and transparency first.”

On June 16, Huntress staffers started receiving emails apparently from the threat actor saying data was downloaded. The threat actor apparently used a disused but still active credential Klue made to prototype a third-party integration it ultimately abandoned, according to Huntress. The threat actor made its way into Klue’s infrastructure from there.

Huntress recommends that security teams review the indicators of compromise (IOCs) provided by Klue, cross-reference log data from Salesforce and other potentially affected OAuth applications configured through Klue, request missing logs from vendors and then consider revoking sessions for affected services.

Users should also review email inboxes and spam folders for the threat actor’s email and consider engaging a cyber insurance provider if they think they were exposed, Huntress said.

“Klue and the other impacted organizations were victims of a crime,” according to the Huntress report. “Our industry sits within a fragile ecosystem where supply chain risk means that any organization can be affected by upstream effects that can occur without any fault of their own.”

Another post on Huntress’ website said that the vendor has “not made any changes to our relationship at this point” with Klue and is staying in close contact with its leadership.

Security Vendors Confirm Salesforce CRM Data Exposure

Recorded Future said in its report that it has found no evidence that its proprietary systems, internal databases or customer platform data have been accessed or compromised. Instead, client contact names and email addresses stored in its Salesforce database were impacted, with “certain business contract information” potentially part of the impacted data.

The vendor has locked down and revoked all associated OAuth tokens connected to the Klue integration, engaged Salesforce directly to obtain additional logs and support, launched a review of all integrated Salesforce third-party applications, correlated known malicious internet protocol (IP) addresses identified by Klue against its own environment logs, continued active systems monitoring for any further anomalous activity and communicated with law enforcement, according to the report.

Recorded Future said users just need to keep up basic cyber-hygiene and continued vigilance for any phishing activity or spam.

Tanium said in its report that an unauthorized party may have accessed opportunity names and values, sales-related messaging, job titles, email addresses, phone numbers, social media contact details, business addresses and other data stored in Salesforce.

But the threat actor didn’t affect Tanium products or cloud infrastructure. The vendor has not found evidence for the threat actor accessing support information, passwords, and customer security data.

The vendor has blocked Klue’s OAuth integration, disabled access to Tanium's Salesforce data, launched an extensive investigation and engaged directly with Klue's leadership, according to the report. Tanium suggests the its users verify unexpected communications claiming to be from Tanium to make sure they aren’t phishing and social engineering attempts. Tanium users don’t have to reset passwords or credentials because of the Klue breach.

Jamf said in its report that a threat actor accessed its Salesforce instance data through Klue’s integration. The breach has not affected Jamf products or services. Jamf has disabled Klue’s integration within Salesforce and contained the breach on its end. It engaged cybersecurity experts to support its investigation, took defensive measures to protect Jamf’s environment and notified law enforcement.

Jamf warned users to look out for phishing campaigns leveraging the contact information stored within Salesforce, encouraging users to exercise caution when sharing sensitive information or account credentials with unknown senders and to report any suspicious email to their security team.

ReliaQuest Predicts Persistent OAuth Attack Threats In 2026

ReliaQuest, which was not among the impacted customers, said in its own report published last Wednesday that the activity resembles 2025 and 2026 third-party OAuth-abuse campaigns against Salesforce with compromises to Salesloft Drift and Gainsight.

ReliaQuest did not attribute the attack to any one threat actor in its report but noted that threat groups ShinyHunters and UNC6395 have been blamed for the prior attacks against Salesforce, Salesloft Drift and Gainsight.

ReliaQuest predicted that “it is highly likely that threat actors will continue targeting third-party Salesforce-connected integrations through the rest of 2026.”

“The OAuth-abuse playbook is repeatable, effective, and now widely adopted,” according to the report.

The threat actor appears to have run automated scripts to pull large volumes of customer CRM records through the Salesforce representational state transfer (REST) API over roughly 24 hours. That includes a concentrated burst of nearly 1,000 queries in 15 minutes and sustained extraction windows lasting over six hours, according to ReliaQuest.

Back in September, Klue introduced its Klue Partner Network, aimed at technology platforms and professional services firms. Members include Grow & Scale, Clear GTM, Fluvio and Octopus Competitive Intelligence.