The Klue Breach: When a Trusted AI Tool Becomes Your Salesforce Attack Path

An AI-powered competitive intelligence tool just became the latest entry point into Salesforce environments. Klue is an AI platform that helps sales and product marketing teams with competitive research and win-loss analysis, and to do that work it connects directly into the CRM, pulling and pushing data through a trusted, standing integration. That is exactly the kind of AI-driven app that has quietly proliferated across the enterprise over the past two years, often connected by business users and rarely scrutinized by security teams. The Klue breach is a reminder that every one of those AI tools inherits access to the systems it touches, and becomes part of your attack surface the moment it does.

On June 17, 2026, Salesforce disabled the connection between the Klue Battlecards app and Salesforce after detecting unusual activity tied to the integration. In the days that followed, at least ten organizations publicly confirmed, each through its own disclosure, that data had been stolen from their environments through Klue's compromised access, including Huntress, HackerOne, Snyk, Recorded Future, Tanium, Jamf, Gong, OneTrust, Sprout Social, and Insurity. Klue has not disclosed how many of its customers were affected.

The mechanics will feel familiar. Attackers did not breach Salesforce. They did not phish a privileged admin or exploit a platform vulnerability. They stole the OAuth tokens that Klue used to connect to its customers' Salesforce instances, and then used that trusted access to quietly pull CRM data at scale.

This is the same playbook behind the Salesloft Drift and Gainsight incidents that defined SaaS security in 2025 and 2026. Klue is just the latest in a growing line of trusted integrations turned into entry points, and it almost certainly will not be the last. This post breaks down what happened, why this keeps recurring, and what security teams should do right now.

What Happened

Klue is a competitive intelligence and "battlecards" platform used by sales and product marketing teams. It integrates with Salesforce and other systems to surface competitor insights directly inside the tools those teams already use, which means it holds standing, scoped access to customer CRM data. That broad, trusted access is exactly what made it a target.

Here is how the attack unfolded, based on what Klue, Salesforce, and Huntress (one of the affected customers) have each said publicly:

• Initial access through a forgotten credential. The attacker got in through a compromised legacy credential tied to an integration service: a long-disused but still active credential that Klue had originally created to prototype a third-party integration it later abandoned.
• Token harvesting begins June 11. Klue's compromise began on June 11, when anomalous behavior surfaced in a system that connects Klue to other software platforms. The attacker pushed a code update capable of collecting the OAuth tokens that Klue's customers use to connect Klue to their own systems.
• Data theft via stolen tokens. With that access, the attacker obtained the OAuth tokens used to connect Klue to third-party platforms, including Salesforce, then used them to query connected customers' CRM environments directly and exfiltrate data. Huntress later confirmed its own exposure by digging through its Salesforce query logs, where the bulk of malicious requests targeted the Salesforce query API, including roughly 900 queries issued from Python-based clients.
• Detection on June 12 and response. Klue identified the unauthorized activity on June 12 and moved quickly to contain it: revoking affected credentials and tokens, removing the unauthorized code, launching a full investigation, and notifying law enforcement. It deactivated OAuth credentials for all customers, brought in CrowdStrike to support and validate its response, and temporarily disabled its integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack before issuing a general customer alert on June 13.
• Salesforce disables the app on June 17. Salesforce disabled the connection between the Klue Battlecards app and Salesforce after detecting unusual activity that may have resulted in unauthorized access to a subset of customer data through the app's connection. The issue was limited to Klue's app connection and did not stem from a vulnerability in the Salesforce platform.

The through-line across all three statements is consistent: this was not a Salesforce platform vulnerability, and Klue found no evidence that customer content stored within the Klue platform itself was impacted. The exposure was limited to the third-party integration, which is precisely the point.

What Was Taken, and Who Is Behind It

The stolen data is the kind of record that lives in a typical sales org. Huntress, which has been transparent about its own exposure, reported that the data copied from its Salesforce environment included business contact information (full names, work emails, job titles, phone numbers, and business addresses), business names, products trialed or used, subscription and pricing details, marketing and sales communications, and opportunity notes. Huntress was equally clear about what was not affected: no passwords, no payment card or PCI data, no threat intelligence, and no product telemetry. The disclosures from other affected companies describe similar categories of CRM data, primarily business contact details and account information. Klue, for its part, stated there is no evidence that customer content stored within the Klue platform itself was impacted.

On its own, CRM data may sound less alarming than credentials or financial records, but it is high-value fuel for follow-on attacks. It enables highly targeted phishing and social engineering against named contacts, exposes deal cycles and competitive positioning, and provides reconnaissance for reaching adjacent systems.

Huntress attributes the attack with high confidence to a new extortion group calling itself Icarus, which the group claims has been active since late April 2026. Huntress linked the activity to Icarus through matching Session Messenger IDs that appeared both in the extortion emails sent to its staff and on the Icarus dark web leak site, where Klue is now listed. The attackers are pressuring victims to negotiate through the Session messaging platform. That a newer entrant, rather than the groups tied to earlier Salesforce-ecosystem incidents, ran this playbook underscores how widely the technique of abusing trusted integrations has now spread.

Why This Keeps Happening

The Klue breach is not an isolated event. It is the latest expression of a structural problem in how organizations secure SaaS, and the rapid adoption of AI tools is pouring fuel on it. Attackers have learned that compromising a trusted integration is far easier than breaching a hardened platform like Salesforce directly, and a single compromised vendor can unlock data across hundreds of downstream environments at once.

AI tools like Klue make this worse in two ways. To deliver their value, they need broad, often read-write access to the very systems that hold your most sensitive data, the CRM being a prime example. And because they promise immediate productivity gains, they get adopted fast, frequently connected by sales, marketing, or revenue teams without a security review. The result is a growing population of AI integrations with deep access and little oversight, each one a potential path to your data.

Underneath nearly all of these AI and SaaS integrations sits the same mechanism: the OAuth token. It is at the center of this shift for a few reasons:

• They bypass MFA. A valid token is already-granted access. No password, no prompt, no second factor.
• They are persistent. Tokens often live for long periods without rotation, granting silent access until someone explicitly revokes them.
• They are broadly scoped. Integrations frequently carry far more read and write access than they actively need.
• They are approved by business users. Integrations are often connected by sales or marketing teams who do not evaluate the security implications.
• They blend in. API activity from a trusted integration looks like normal operations, so malicious queries hide in the noise.

Put simply, the real attack surface is not just your business-critical apps. It is every non-human identity, token, AI tool, and SaaS-to-SaaS integration connected to them. As AI adoption accelerates, that ecosystem is expanding faster than most security teams can see it, and the ecosystem is the attack surface.

What Security Teams Should Do Now

If your organization connected Klue to any of its supported platforms, treat the access granted to that integration as compromised and act now. The attack centered on Salesforce, but Klue also integrates with HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack, so your review should span every system Klue could reach, not Salesforce alone. More broadly, this is a prompt to harden your entire integration layer.

1. Review logs for indicators of compromise and suspicious activity. Cross-reference Klue's published IOCs, including the attacker IP addresses it shared with customers, against logs from Salesforce and every other connected platform. Look for unusual query volume, bulk data exports, access from unfamiliar infrastructure, and any unexpected changes. Because the attack relied on harvested credentials, revoke active sessions and rotate associated tokens and credentials rather than assuming a disabled integration is enough.
2. Inventory your integrations, enforce least privilege, and cut what you do not need. Klue is one app; map every AI tool and SaaS-to-SaaS integration with access to your critical systems, then revoke anything unused, unapproved, or over-permissioned and scope what remains to the minimum access it requires. Confirm business-owner approval for both new and existing connections.

These are the same fundamentals that apply to every OAuth incident, because the next compromised app will follow the same pattern.

How Valence Helps

Most organizations do not have a complete inventory of the integrations their business units have connected to Salesforce, let alone visibility into what those integrations can access or how they are behaving. That gap is exactly what attackers are exploiting.

Valence provides continuous, identity-aware visibility and control across your SaaS and AI ecosystem, including Salesforce. With Valence, security teams can:

• Discover every SaaS app, integration, and AI tool connected across the business, including shadow and unmanaged apps.
• See detailed OAuth scopes, permissions, and access behavior for every connected app and non-human identity.
• Identify unused, risky, or over-permissioned integrations before they are abused.
• Continuously monitor for suspicious API activity and anomalous integration behavior.
• Operationalize remediation, including token rotation, permission reduction, and integration cleanup, through automated workflows.

The difference is the ability to know exactly what your integrations can do and what they are doing, rather than waiting for a vendor advisory to tell you where to look.

Conclusion

Klue had legitimate, trusted access to Salesforce CRM data. The moment its OAuth tokens were compromised, so did the attacker. That is the SaaS supply chain problem in its clearest form: the breach does not come through your perimeter, your identity provider, or your network. It walks in through an integration your team approved, scoped, and largely forgot about.

The organizations best positioned to prevent or contain the next incident are the ones that treat integrations, tokens, and non-human identities as first-class parts of their attack surface today, not after the advisory lands.

If you want to understand whether similar exposures exist in your environment, schedule a demo.