A ShinyHunters-linked threat campaign has compromised Klue's Battlecards integration to siphon customer data out of Salesforce instances, with cybersecurity vendor Huntress among the confirmed victims. The intrusion, disclosed June 17 when Salesforce suspended the Battlecards integration, makes Klue the third integrated application abused in the ongoing wave of Salesforce supply-chain attacks. ReliaQuest researchers confirmed attackers used stolen Klue OAuth tokens to exfiltrate data via the Salesforce REST API, in one case firing nearly a thousand queries in 15 minutes.
What Happened
On June 17, Salesforce announced it had suspended its integration with Klue's Battlecards app after detecting unusual activity that may have resulted in unauthorized access to a subset of customer data. The CRM vendor was explicit that the problem lived in the third-party connection, not its own platform: "This issue is limited to Klue's app connection and does not arise from a vulnerability within the Salesforce platform."
The following day, ReliaQuest published findings confirming that threat actors had reached Salesforce instances using Klue OAuth tokens and exfiltrated customer data. According to ReliaQuest, the attackers authenticated through a compromised Klue integration service account, then generated OAuth tokens that granted them access to customers' connected Salesforce environments. From there, automated Python scripts pulled data out through the Salesforce REST API over a window of roughly 24 hours.
Huntress, itself a cybersecurity vendor, has been named among the confirmed victims, underscoring that even security-mature organizations are exposed when a trusted SaaS integration is turned against them.
What Was Taken
The campaign targeted customer data held in Salesforce instances connected to the Battlecards integration. ReliaQuest described the operation as a bulk-extraction effort rather than a disrupted or partial attack. A spokesperson told Dark Reading the 24-hour activity window is consistent with a deliberate harvest: the attacker appears to have enumerated the available data, extracted what was accessible, and moved on.
Exfiltration patterns observed by researchers point to high volume. One environment saw a concentrated burst of nearly a thousand queries in 15 minutes, alongside sustained exfiltration lasting more than six hours. Investigators read the shift from a "slow, steady pull designed to blend in" to a high-speed burst as a sign of time pressure or a pivot to targeted records. The precise record counts and data categories per victim are still being assessed, but the volume and automation indicate broad CRM datasets rather than narrow, selective theft.
Why It Matters
This is the third integrated application compromised to reach Salesforce customer data, following the Salesloft Drift and Gainsight incidents that rattled the Salesforce ecosystem throughout 2025 and 2026. The repetition is the story: trusted SaaS integrations remain a high-value yet lightly monitored path to sensitive data.
For defenders, the lesson is that the security boundary no longer stops at the CRM platform. An organization can harden Salesforce perfectly and still lose data because a connected vendor's service account was breached. OAuth-based integrations grant standing, often broad, access that bypasses many traditional perimeter and identity controls. When ShinyHunters-linked actors can chain one supplier compromise into dozens of downstream victims, every integration becomes a potential entry point. The presence of Huntress on the victim list is a pointed reminder that sophistication does not equal immunity to third-party risk.
The Attack Technique
The intrusion follows the now-familiar third-party OAuth-abuse playbook seen in the Salesloft Drift and Gainsight compromises. The chain works in stages. First, attackers compromise the integration vendor, in this case gaining access to a Klue integration service account. Second, they use that foothold to generate valid OAuth tokens, which Salesforce treats as legitimate authorized access. Third, they script automated REST API queries to enumerate and extract data, often staging a slow initial pull to evade detection before accelerating into a high-volume burst.
Because the access rides on legitimate OAuth tokens tied to a trusted app, the activity can blend into normal integration traffic. There is no malware on the victim's endpoints and no exploited Salesforce vulnerability. The only reliable signals are behavioral: anomalous query volumes, unusual API access timing, and exfiltration patterns that deviate from the integration's baseline.
What Organizations Should Do
Salesforce customers, especially any that use or have used the Klue Battlecards integration, should take immediate action.
- Identify and revoke Klue OAuth tokens and the associated connected app, and assume any data accessible to that integration may be compromised.
- Audit all third-party OAuth integrations connected to Salesforce, removing unused or over-permissioned connected apps and enforcing least privilege on those that remain.
- Review Salesforce event monitoring and API logs for anomalous activity, particularly high-volume REST API query bursts and sustained exfiltration windows around mid-June 2026.
- Set alerting on integration service-account behavior, flagging unusual query rates, off-hours access, and bulk record enumeration.
- Require integration vendors to confirm their own incident response and service-account security posture, and treat their breaches as your breaches in tabletop planning.
- If exposure is confirmed, follow breach notification obligations and rotate any credentials or secrets that may have been stored within affected Salesforce records.
Sources: Salesforce Data Thefts Continue via Klue App Compromise