HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Attackers Compromise Klue, Hijack OAuth Tokens to Exfiltrate Salesforce Customer Data

Attackers breached the SaaS vendor Klue, stole OAuth tokens, and used them to pull data from customers’ Salesforce environments, illustrating a supply‑chain credential compromise that challenges SOC 2 vendor‑management controls.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 darkreading.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
darkreading.com

Attackers Compromise Klue, Hijack OAuth Tokens to Exfiltrate Salesforce Customer Data

What Happened — Attackers breached the SaaS vendor Klue, extracted OAuth refresh tokens, and used those tokens to gain unauthorized access to customers’ Salesforce environments, downloading contact, opportunity, and custom‑object data. The incident expands the “Icarus” campaign that targets Salesforce users through compromised third‑party integrations.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates the need for SOC 2 vendor‑management controls that require continuous monitoring of third‑party token issuance and revocation.
  • Highlights the importance of maintaining auditable evidence (token‑lifecycle logs, revocation policies) to satisfy the Security and Availability criteria.
  • Shows how a supply‑chain credential compromise can cascade into a data‑exposure event, underscoring the value of Verisq’s vendor‑risk capability for audit evidence.

Who Is Affected — SaaS providers, CRM platforms, and their enterprise customers across technology, financial services, and other sectors that integrate with third‑party applications.

Recommended Actions

  • Review and tighten OAuth token issuance, storage, and revocation processes for all third‑party integrations.
  • Incorporate continuous vendor‑risk monitoring into your SOC 2 audit program, capturing evidence of token‑lifecycle management.
  • Conduct a focused risk assessment of all applications that have access to critical CRM data and update contracts to include security‑by‑design clauses.

Source: Dark Reading

Technical Notes — The attackers leveraged stolen OAuth refresh tokens from Klue’s integration, allowing them to generate fresh access tokens without user interaction. No specific CVE was cited; the vector is credential theft via a compromised third‑party application. Exfiltrated data included contact records, opportunity details, and custom object fields from Salesforce.

📰 Original Source
https://www.darkreading.com/cyberattacks-data-breaches/scope-salesforce-attacks-expands-icarus-leaks-data

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →