A single compromised vendor has rippled across the Salesforce ecosystem. Market intelligence platform Klue confirmed that an attacker breached part of its integration infrastructure and stole the OAuth tokens its customers use to connect Klue to their own systems. Using those stolen integration credentials, the attacker then generated fresh Salesforce API tokens, giving them direct query access to connected customer environments.
Through those tokens, the attacker reached into connected Salesforce accounts and pulled business records from a string of companies, many of them security firms. That concentration is significant: security vendors’ CRM data can include customer infrastructure details, contract information, and support records that carry intelligence value beyond ordinary business contacts.
According to a June 22 update from Klue chief executive Jason Smith, the activity began on June 12 and traced back to a compromised legacy credential tied to an integration service. This is an old account that had not been rotated or deprovisioned; the kind that persists in many organizations long after its original purpose has passed.
Klue revoked the affected tokens, removed the unauthorized code, disabled its integrations, and brought in CrowdStrike.
Salesforce separately disabled the Klue Battlecards app on June 17, stressing the problem sat with the integration, not its own platform.
Security vendor ReliaQuest, which detected the activity and alerted Klue, traced the method. The attacker authenticated through the integration account, generated tokens, and ran automated queries against the Salesforce API to harvest records over roughly 24 hours.
ReliaQuest assessed that the campaign echoes the OAuth-abuse attacks that hit the Salesforce ecosystem through 2025 and 2026. ReliaQuest was itself among the affected organizations, making it notable that its own detection capabilities identified the activity and prompted Klue’s response.
A Password Manager Among the Affected
The victim list keeps growing. Huntress, Recorded Future, Tanium, Jamf, and others have confirmed exposure, each saying only CRM and business data was touched and their own products were not affected.
LastPass is among them. In a public disclosure, the password manager said the Klue integration had exposed standard business contact details and sales records, as well as support case data held in its Salesforce environment.
It stressed that its products and infrastructure were untouched, customer vaults were not breached, and there was no evidence the attacker reached its Gong data. The exposed tokens have been rotated and employee access to Klue cut off.
ShinyHunters claimed responsibility for the breach in a June 21 post, according to ReliaQuest, which noted the message carried a contact handle that may tie the group to a newer extortion crew called Icarus. Icarus has since listed Klue on its leak site, though a firm technical attribution has not been confirmed.
Affected organizations should revoke and rotate every token tied to the integration, refresh tokens included, and watch out for phishing that exploits the stolen contact data.
