HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

OAuth Token Theft in Klue Integration Leads to Bulk Salesforce Data Exfiltration

The Icarus extortion group leveraged a compromised legacy Klue Battlecards OAuth token to bypass Salesforce security controls and extract large volumes of customer records from multiple organizations. The breach highlights the risks of unmanaged third‑party integrations and the need for robust vendor‑risk and access‑control monitoring in SOC 2 programs.

LiveThreat™ Intelligence · 📅 June 22, 2026· 📰 hackread.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
hackread.com

OAuth Token Theft in Klue Integration Leads to Bulk Salesforce Data Exfiltration

What Happened — The Icarus extortion group obtained a legacy Klue Battlecards OAuth token, used it to bypass Salesforce’s security controls, and extracted large volumes of customer records from multiple organizations. Salesforce responded by disabling the Klue integration for affected accounts.

Why It Matters for Compliance & Audit Readiness

  • Credential‑based breaches of third‑party integrations are a classic failure of SOC 2 vendor‑management controls (CC6.1 Vendor Management, CC6.2 Risk Assessment).
  • Continuous monitoring of OAuth token usage provides the audit evidence needed to demonstrate due diligence and a defensible control environment.
  • Maintaining an up‑to‑date vendor risk register and evidence of token rotation satisfies both security and privacy criteria in a SOC 2 audit.

Who Is Affected – SaaS/CRM platforms (Salesforce), their enterprise customers, and any organization that had enabled the Klue Battlecards integration.

Recommended Actions

  • Inventory all third‑party OAuth tokens and immediately revoke any that are legacy or unused.
  • Enforce token rotation and MFA for integration service accounts.
  • Add the Klue integration to your vendor‑risk register and conduct a SOC 2‑aligned risk assessment.
  • Deploy continuous monitoring of token activity and anomalous data export alerts; retain logs as audit evidence.

Technical Notes – The attack leveraged stolen OAuth credentials (no public CVE). Data exfiltrated included contact, account, and opportunity records stored in Salesforce. Source: HackRead

📰 Original Source
https://hackread.com/salesforce-disables-klue-integration-oauth-token-data/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →