Salesforce has disabled integration between the third-party app Klue Battlecards following an OAuth hack that may have exposed customer data. The breach is reminiscent of the Salesloft Drift and Gainsight compromises of 2025.
Klue provides an AI platform for competitive intelligence, and Salesforce integration is meant to simplify CRM usage to increase the adoption of competitive battlecards – quick reference documents for sales reps. The company lists Adobe, Dell, Shopify, Gainsight, and Flatiron among its 500 customers.
Klue Battlecards Breach: What Happened?
Cybersecurity company Reliaquest observed a compromised integration between Klue and Salesforce in June, which was used to exfiltrate CRM data using OAuth tokens and automated REST API queries.
Reliaquest said that the activity “resembles the 2025 and 2026 third-party OAuth-abuse campaigns” against Salesforce, but at the moment, the responsible party is not known, despite the resemblance of the incident to the ‘ShinyHunters’ and ‘UNC6395’ incidents.
Klue integration was used as an entry point to reach a Salesforce environment, with accessible CRM data ranging from account records and contact details to deal outcomes and pricing, depending on the scope of the integration, according to Reliaquest.
They advise defenders to revoke and rotate credentials and OAuth tokens, including refresh tokens, for Salesforce-connected integrations, along with restricting API access. All third-party apps with OAuth access to a core platform like Salesforce is part of a defender’s attack surface and should be inventoried, monitored, and scoped to least privilege.
Salesforce stresses that the issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform.
Exploits like this demonstrate the importance of implementing Zero Trust principles, where thinking moves away from “inside the network is safe” to “nothing is trusted by default”.
To that point, Reliaquest said: “The activity follows the same third-party OAuth-abuse playbook behind the Salesloft Drift and Gainsight compromises that rattled Salesforce ecosystems throughout 2025 and 2026, reinforcing that trusted software-as-a-service (SaaS) integrations remain a high-value yet little-monitored route to reach sensitive data.”
Reliaquest disclosed the findings to Klue before revealing it publicly.
Attackers authenticated to their targets’ Klue integration service accounts, generated OAuth tokens, and ran apparently automated scripts to pull “large volumes” of Salesforce records through the REST API over an approximate 24-hour period, the security company says.
This included a “concentrated burst” or almost 1,000 queries in 15 minutes and sustained extraction windows which lasted more than six hours.
“Prior attacks against Salesforce, Salesloft Drift, and Gainsight have been attributed to threat groups ‘ShinyHunters’ and ‘UNC6395,’ but at the time of writing there is no evidence to confirm or rule out their involvement here,” Reliaquest wrote.
They add: “Exfiltration is confirmed; the full scope, initial access vector, and intent of the incidents are still being established.”
Given this and the previous Salesloft and Gainsight exploits, any top-ranked app vendor with integrations to enterprise SaaS and application platforms should consider itself a target of threat groups. Reliaquest confirmed as much, predicting repeat attacks for the remainder of 2026, stating, “The OAuth-abuse playbook is repeatable, effective, and now widely adopted.”
Klue, which currently employs more than 200 people, was founded by Jason Smith and Sarathy Naicker in 2015 and raised $62M in Series B funding with participation from Salesforce Ventures.
They provide an AI-powered Competitive Enablement and Win-Loss Analysis platform intended to help product marketers collect, curate, and deliver competitor and buyer insights.
The company was ranked #1 in the revenue enablement category in Gartner’s Critical Capabilities report, and it earned a spot on Deloitte’s Technology 2024 Fast 50 and 2024 Fast 500 lists.
There’s an AppExchange link on Klue’s website, but at the time of writing (10.15 am BST, June 18), it leads to a ‘page not found’ notice.
Klue Hack: Salesforce’s Response
Salesforce posted an update on their status site at 7.22 pm BST on June 17, outlining that they had disabled integration with Klue.
The company wrote: “To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident. As a result, organizations will not be able to connect to Salesforce via this app until further notice.
“Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce. This issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform.
“We are continuing to work directly with affected customers and Klue.”
Summary
Salesforce has disabled integration with Klue following a security breach. According to Cybersecurity company Reliaquest, the incident resembles the ShinyHunters attacks of last year, but it’s not yet known who the perpetrators are.
Defenders are advised to revoke and rotate credentials and OAuth tokens, including refresh tokens, for Salesforce-connected integrations.
