Stale Credentials, Stolen Tokens: How the Klue Breach Unlocked Salesforce Data Across Dozens of Companies

It wasn't a zero-day. Not a phishing email. Not a misconfigured S3 bucket.

It was a credential nobody remembered they'd left on.

Klue, a competitive-intelligence platform that connects to Salesforce, HubSpot, and Gong, had built an integration years ago — a prototype, meant to be scrapped. The credential used to authenticate that integration? Never revoked. Never audited. Just… sitting there, like an old key under the mat.

On June 11, 2026, an attacker found it. They didn't brute-force it. They didn't guess it. They just… clicked.

And suddenly, they were inside Klue's backend.

What happened next was terrifying in its simplicity: they pushed a code update. A silent, invisible payload. Not malware. Not ransomware. Just a script that waited, listened, and harvested OAuth tokens — the very keys that allowed Klue's customers to access their own Salesforce instances.

By the time Klue's team noticed the anomaly on June 12 — unusual outbound connections, strange API calls — the damage was already done. They removed the code on June 13. But the tokens? They were already in the wild.

This isn't a hack. It's a ghost story.

And the ghost? It's every stale integration you've ever ignored.

The OAuth Token Avalanche

Here's the brutal truth: OAuth tokens are the silent currency of modern SaaS.

They let apps talk to apps without asking users to log in again. They're supposed to be secure. They're supposed to be temporary. They're supposed to be scoped.

But in practice? They're long-lived. Overprivileged. And rarely monitored.

The attacker didn't need to break into Salesforce. They didn't need to crack passwords. They didn't need to phish employees.

They just needed to use Klue's own authorized tokens — the ones granted by Huntress, LastPass, Recorded Future, Tanium — to log in as those companies.

And then? They started querying.

Obsidian Security's analysis showed the attacker used a standard SOQL query against the Salesforce Global Describe object — a move that's almost never seen in legitimate integrations. Why? Because it maps every single object in the CRM: Accounts, Contacts, Opportunities, Cases, even custom fields you forgot you created.

Then came the real horror: QueryMore.

This isn't a single API call. It's a loop. A thousand, ten thousand, sometimes a hundred thousand fetches, streaming data out in batches. It's how you exfiltrate 13.9 million records.

And here's the kicker: they used Python-urllib/3.12. Not the python-httpx/[version] that Klue's integration had always used. Not v64.0 of the Salesforce API. But v59.0 — an older, less scrutinized version.

It wasn't just stealth. It was precision.

Who Got Hit? (And What Did They Lose?)

The list of victims reads like a who's who of cybersecurity:

• Huntress: Business contacts, price quotes, opportunity notes, subscription details — all gone. No passwords. No telemetry. But enough to make a phishing email feel terrifyingly real.
• LastPass: Customer data accessed in Salesforce. But their vaults? Still safe. The attacker didn't touch passwords. They touched people.
• Gong: Internal licensed user data — names, titles, emails — exposed for customers who'd connected Klue to their Gong accounts. No call recordings. No transcripts. Just the metadata of who you talked to.
• Recorded Future: "Not specifically targeted," they said. Just collateral damage from being a Klue customer.
• HackerOne, Snyk, Jamf, OneTrust, Insurity, Tanium, Sprout Social — all confirmed.

The pattern? No one was targeted for their IP. No one was targeted for their secrets. Everyone was targeted because they trusted Klue.

And that's the real vulnerability.

The Icarus Gang: A New Kind of Extortionist

This wasn't just theft. It was extortion.

A group calling itself "Icarus" emerged on June 19, posting partial data on a dark web leak site. They didn't encrypt anything. They didn't delete files. They just… published.

And then they waited.

Their extortion emails? Came from domains like house.com.au and robinskitchen.com.au — subsidiaries of an Australian retail company. Not hackers. Not criminals. Just… compromised infrastructure.

Huntress confirmed the emails matched session messenger IDs tied to Icarus's leak site. The group claimed to have been active since April 28 — and had already hit two other victims before Klue.

What's chilling isn't the data. It's the method.

They didn't demand Bitcoin. They didn't threaten to delete files. They just said: "Contact us. Or we'll post more."

And now, every customer of every Klue-connected company has to wonder: is that email from my sales rep… or from Icarus?

The IOCs: A Map of the Attack

Here's what the attackers left behind — the fingerprints:

• IPs: 138.226.246.94 (Netherlands), 212.86.125.24 (France), 213.111.148.90 (Ukraine), 94.154.32.160 (Netherlands)
• User Agents: python-urllib/3.12 and python-urllib/3.14 — not python-httpx
• API Version: v59.0, not v64.0
• Domains Used for Extortion: house.com.au, robinskitchen.com.au, baccarat.com.au
• Leak Site: gofile.io

These aren't just IOCs. They're a trail.

And if you're a security team? You're supposed to be looking for them.

But here's the problem: most teams don't even know what their integrations are doing.

The Pattern: This Has Happened Before

This isn't new.

In 2025, ShinyHunters compromised Salesloft. Used OAuth tokens. Exfiltrated data from 700+ companies.

The same playbook.

Same technique.

Same blind spot.

Huntress warned us: "The OAuth-abuse playbook is repeatable, effective, and now widely adopted."

And they're right.

Every time a company says, "We trust this vendor," they're handing over a key to their house.

And then they wonder why the door was unlocked.

See also: Major Oracle PeopleSoft Zero-Day (CVE-2026-35273) Exploited by ShinyHunters to Breach Universities

What You Can Do — Right Now

If you're a customer of Klue, or any third-party integration:

1. Revoke all OAuth tokens tied to Klue. Not just for Salesforce. For HubSpot. For Gong. For Slack. For Google Drive. All of them.
2. Rotate refresh tokens. OAuth tokens are just the first layer. Refresh tokens? They're the master key.
3. Audit your Salesforce API logs. Look for QueryMore patterns. Look for python-urllib. Look for v59.0. Look for IPs that aren't Google.
4. Check your spam folder. Icarus's emails are in there. Don't ignore them.
5. Audit dormant credentials. Find every integration you haven't used in 6 months. Kill it. Then kill it again.
6. Talk to your vendors. Ask: "What OAuth tokens do you hold? What scopes do they have? How often are they rotated?"

And if you're a vendor?

Stop treating integrations like toys.

They're not add-ons.

They're attack surfaces.

And if you're still using a credential from a prototype that was abandoned in 2022?

You're not being clever.

You're being negligent.

The Real Lesson

The Klue breach wasn't about Klue.

It was about us.

We've built a world where every app talks to every other app. Where trust is automatic. Where access is granted once — and never questioned.

We thought OAuth was a convenience.

It's not.

It's a liability.

And until we start treating it like one — until we monitor it, rotate it, revoke it, and audit it like the nuclear codes they are — this will keep happening.

The ghost is still in the machine.

And it's still hungry.

Sources

• Dark Reading: Scope of Salesforce Attacks Expands as Icarus Leaks Data
• CSO Online: Klue breach exposed Salesforce CRM data through stolen OAuth tokens
• Obsidian Security: Technical Analysis of the Klue Attack
• RH-ISAC: Icarus Threat Group Claims Salesforce Data Theft in Klue Supply Chain Breach

---

This article was written by Harper Lock, a security automation engineer who once spent three weeks debugging a credential that had been left active since 2019. He still has nightmares about it.