The Breach Came Through an App You Forgot You Connected

Two years ago, someone on your sales team connected a tool to your CRM. Maybe it was a competitive-research app, a meeting recorder, a data-enrichment plugin. They clicked “Authorize,” granted it access, used it for a few months, and then moved on. The tool got quietly dropped from the workflow. Nobody revoked the connection. Nobody remembered it was there.

That forgotten connection is exactly how a wave of companies just had their Salesforce data stolen.

In June 2026, attackers breached Klue, a competitive-intelligence platform that sales teams use to build “battlecards” and win-loss programs. The breach itself is notable. What makes it worth every business owner’s attention is how the data got out — because the mechanism has nothing to do with Klue specifically, and everything to do with how every modern business connects its software together.

What Actually Happened

Klue identified unauthorized activity in its integration infrastructure on June 12, 2026. According to the company and the security firms investigating it, the attacker got in through a long-disused credential — one Klue had created to prototype an integration it later abandoned, and never fully shut off. From there, the attacker pushed malicious code into Klue’s environment that harvested the OAuth tokens Klue’s customers used to connect the product to their own systems.

With those tokens in hand, the attacker queried customers’ Salesforce environments directly, running automated scripts against Salesforce’s API to pull CRM records. Salesforce disabled the Klue Battlecards integration on June 17 and was direct about one point: this was not a vulnerability in Salesforce. The platform did what it was designed to do. The token was valid, so the access was granted.

A new extortion group calling itself Icarus claimed the attack and began emailing victims with 48-hour ransom demands. The confirmed victim list grew quickly and included a number of well-known technology and security companies. The stolen data was business contacts, sales communications, price quotes, competitive intelligence, and account records — not passwords or payment cards, but exactly the kind of information that fuels follow-on phishing and social-engineering campaigns.

This is the same playbook that hit Salesforce customers through the Salesloft Drift compromise in 2025 and the Gainsight compromise later that year. The target keeps changing. The method doesn’t.

The Part That Should Worry You

Here is the line from the investigation that every business leader should sit with: the attacker didn’t need a password. They didn’t need to defeat multi-factor authentication. They didn’t phish an employee. They had a valid token, and from Salesforce’s point of view, that token was the trusted app. Access granted.

Connected apps are what security teams call non-human identities. They hold persistent, often broad access to sensitive data, and they’re almost never watched as closely as employee accounts. An employee logging in from a strange location at 3 a.m. trips an alert. A “trusted” integration running an automated query loop for hours often does not. That gap is the whole game.

And the exposure scales with how modern your business is. A company running on cloud software has accumulated authorization grants across dozens of systems — CRM, email, file storage, scheduling, analytics, marketing automation. Each “Connect with Google” or “Authorize Salesforce access” button created a standing key. Most businesses have never inventoried those keys, and no single person knows the full list. That isn’t negligence. It’s the natural result of adopting software quickly and deferring the cleanup that never feels urgent — until a vendor you forgot about becomes the way attackers reach the data you can’t afford to lose.

What to Do This Month

You don’t need an enterprise security budget to close most of this gap. You need to look. Three actions, in order:

1. Inventory your connected apps. In Salesforce, Microsoft 365, Google Workspace, HubSpot — wherever your core data lives — pull the list of authorized third-party apps and OAuth grants. Most businesses are surprised by the length of the list and by how many entries no one recognizes.

2. Revoke what you don’t use. Every app that’s no longer part of an active workflow is a standing key with no owner. Remove it. The Klue incident happened through exactly this kind of leftover connection — an integration that was functionally dead but still authorized.

3. Scope and monitor what stays. For the integrations you genuinely rely on, confirm they have the least access they need to do their job, not blanket permissions. Where your platform allows it, restrict integration access to known IP addresses, and turn on monitoring for unusual API activity so an automated data pull doesn’t run for hours unnoticed.

The uncomfortable truth of this breach is that the affected companies didn’t do anything dramatic wrong. They authorized a normal business tool and got on with their work. The risk accumulated quietly in the background. The businesses that come through the next one of these in good shape will be the ones who looked at their connected-app list before a vendor’s name showed up in the news.

Sources

• Salesforce disabled the Klue Battlecards integration after detecting unauthorized access via the app’s connection to Salesforce — The Hacker News (June 2026), https://thehackernews.com/2026/06/salesforce-disables-klue-app.html
• Attackers used a long-disused but still-active Klue credential, then stole customer OAuth tokens to query Salesforce directly; victims include multiple technology and security firms — BleepingComputer (June 2026), https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/
• Klue confirmed it discovered unauthorized activity June 12, engaged CrowdStrike, and notified law enforcement; the Icarus extortion group claimed the attack — BleepingComputer (June 2026), https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/
• ReliaQuest analysis: any third-party app with OAuth access to a core platform is part of the attack surface and should be inventoried, monitored, and scoped to least privilege; same playbook as Salesloft Drift and Gainsight — ReliaQuest Threat Spotlight (June 2026), https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft/
• Salesforce confirmed the incident was limited to Klue’s app connection and not a Salesforce platform vulnerability; updated victim reporting — Dark Reading (June 22, 2026), https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise

Since 2002, centrexIT has helped businesses across the western U.S. keep their data secure as their software stack grows. Connected-app and vendor risk is one of the blind spots we help clients close — before it becomes an incident. Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/