HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

OAuth Token Compromise in Klue Integration Exposes Salesforce Contact Data for Recorded Future and Clients

Recorded Future disclosed that a breach at third‑party marketing vendor Klue compromised an OAuth token linking Klue to Salesforce, exposing client contact names, email addresses, and limited contract information. The incident highlights the need for continuous vendor‑risk monitoring and SOC 2‑aligned token management.

LiveThreat™ Intelligence · 📅 June 19, 2026· 📰 recordedfuture.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
recordedfuture.com

OAuth Token Compromise in Klue Integration Exposes Salesforce Contact Data for Recorded Future and Clients

What Happened — Recorded Future’s CSIRT learned that Klue, a third‑party marketing vendor, suffered unauthorized access to its integration layer on June 12 2026. The breach compromised an OAuth token used to connect Klue with Salesforce, allowing limited access to Recorded Future’s Salesforce records (client names, email addresses, and some contract details). The incident was contained the same morning, and no core platform or internal databases were accessed.

Why It Matters for Compliance & Audit Readiness

  • This scenario maps directly to SOC 2 CC6.1 (Vendor Management) and CC6.2 (Access Controls), which require continuous monitoring of third‑party integrations and evidence of token lifecycle management.
  • Demonstrating timely revocation of compromised credentials and documented investigations provides audit‑ready proof of due diligence.
  • Verisq’s Vendor Risk capability can continuously monitor third‑party OAuth tokens and surface anomalies as part of a defensible SOC 2 evidence set.

Who Is Affected — SaaS and technology firms that rely on third‑party marketing or CRM integrations (e.g., Salesforce‑connected vendors).

Recommended Actions

  • Conduct an immediate inventory of all OAuth tokens and third‑party integrations; rotate any that could be exposed.
  • Map the incident to SOC 2 controls CC6.1 and CC6.2, capture token revocation logs as audit evidence, and update vendor risk assessments.
  • Implement continuous monitoring of integration activity and enforce least‑privilege token scopes.

Technical Notes – The unauthorized activity originated from a compromised OAuth token in the Klue‑Salesforce integration layer. No malware or vulnerability exploit was reported; the breach leveraged stolen credentials. Affected data included Salesforce contact fields and limited contract information. Source: Recorded Future Blog

📰 Original Source
https://www.recordedfuture.com/blog/klue-security-incident

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →