Salesforce has disabled the Klue Battlecards app integration following a security breach that compromised customer data. This action prevents organizations from connecting to Salesforce via the Klue app until further notice.
The security incident, detected on June 11, 2026, involved unauthorized access to customer data through the Klue app’s connection to Salesforce. Salesforce emphasized that this issue is specific to Klue’s app connection and does not stem from any vulnerability within the Salesforce platform.
The breach has been attributed to an extortion group known as Icarus, which accessed and exfiltrated data from Klue’s customers, including cybersecurity firm Huntress. The stolen data comprises business contacts, price quotes, and other sales-related information. Huntress confirmed that no threat data, passwords, payment card information, or engineering data related to their agent or telemetry were affected.
Klue’s investigation revealed that the attackers gained access through a compromised legacy credential associated with an integration service. This access allowed the attackers to obtain OAuth tokens used to connect Klue with third-party platforms, including Salesforce, and subsequently access data within several connected customer environments. Klue’s CEO, Jason Smith, stated that there is no evidence that customer content stored within the Klue platform was impacted.
In response to the breach, Klue has revoked affected credentials and tokens, removed unauthorized code, halted remote access, disabled potentially impacted integrations, and initiated a comprehensive investigation.
As of June 16, 2026, some Huntress employees received emails with the subject line “top secret email” and a warning stating: “Your Salesforce data has been downloaded … You have 48 hours to communicate with us. Do the right decision.” This indicates that the attackers are attempting to extort the affected companies.
The Icarus group has been active since April 28, 2026, and has claimed two victims to date. Their tactics resemble previous attacks by groups like ShinyHunters and UNC6395, which targeted Salesforce environments through third-party OAuth token abuse.
ReliaQuest’s analysis of the Klue integration abuse noted similarities with prior compromises involving Salesloft’s Drift and Gainsight applications that targeted Salesforce environments last year.
This incident underscores the critical importance of securing third-party integrations and regularly auditing credentials to prevent unauthorized access. Organizations should review their integration practices and implement robust security measures to safeguard sensitive data.
