Klue Salesforce Integration Breach Exfiltrates CRM Data from Huntress and Recorded Future

The attack chain began with unauthorized access to Klue servers, followed by deployment of code that abused existing customer integrations. Salesforce detected the activity and disabled the Klue Battlecards app on June 17 after observing sustained extraction windows exceeding six hours. Huntress confirmed only business contacts, quotes, and sales data were taken; no agent telemetry or passwords were exposed. Recorded Future reported similar scoping limited to client contact fields.

Procurement and integration records show multiple defensive vendors rely on the same narrow set of SaaS connectors. This creates a single point where one OAuth token yields broad CRM access across unrelated organizations. The pattern matches prior Salesforce-targeted campaigns but uses a new extortion persona, Mr Brean, tied to Icarus infrastructure via Session IDs.

Independent technical indicators, including query volume and timing, diverge from ShinyHunters tradecraft previously linked to UNC6395. Official customer notices emphasize limited scope while remaining silent on how the initial server access occurred. The result is continued erosion of trust in the very platforms security firms use to manage customer relationships.

Additional affected vendors are likely to surface once contract disclosures and breach notifications propagate. Organizations should audit all OAuth grants to intelligence and sales platforms and enforce per-integration logging within the next 30 days.