Cyber Incident Victim: Huntress

On June 11, attackers pushed a code update to Klue's Battlecards application that was designed to collect OAuth tokens from customers' Salesforce integrations. The attackers gained initial access to Klue's environment by using a long-disused but still active credential. Once inside, they modified the application to harvest OAuth tokens associated with the Salesforce connection. On June 17, Salesforce's security teams detected unusual activity involving the Battlecards app and subsequently suspended its integration with the platform. ReliaQuest later published a blog post confirming that threat actors used the stolen Klue OAuth tokens to access Salesforce instances and exfiltrate a subset of customer data.

The observed activity included a concentrated burst of nearly a thousand queries within a fifteen‑minute window against at least one Salesforce environment. Huntress, a cybersecurity vendor, disclosed that its Salesforce instance was among those affected, with attackers obtaining business contacts and sales‑related information. The Icarus Extortion Group was linked to the intrusion, having sent an email demanding payment to prevent the exposure of the stolen data. In response, Klue deactivated the OAuth credentials for all of its customers and disabled the Battlecards‑Salesforce integration. This incident marks the third time a third‑party application integrated with Salesforce has been compromised to steal customer data.

The compromise underscores the risk posed by third‑party app connections as a high‑value avenue for accessing sensitive CRM information. Huntress reported the breach publicly, noting the specific categories of data that were accessed. Klue's actions to revoke tokens and shut down the integration were intended to halt further unauthorized access. No further details about the extent of data loss or additional victim organizations were provided in the source material.