OAuth Token Compromise in Klue Integration Exposes Salesforce Contact Data for Recorded Future and Clients
What Happened — Recorded Future’s CSIRT learned that Klue, a third‑party marketing vendor, suffered unauthorized access to its integration layer on June 12 2026. The breach compromised an OAuth token used to connect Klue with Salesforce, allowing limited access to Recorded Future’s Salesforce records (client names, email addresses, and some contract details). The incident was contained the same morning, and no core platform or internal databases were accessed.
Why It Matters for Compliance & Audit Readiness
- This scenario maps directly to SOC 2 CC6.1 (Vendor Management) and CC6.2 (Access Controls), which require continuous monitoring of third‑party integrations and evidence of token lifecycle management.
- Demonstrating timely revocation of compromised credentials and documented investigations provides audit‑ready proof of due diligence.
- Verisq’s Vendor Risk capability can continuously monitor third‑party OAuth tokens and surface anomalies as part of a defensible SOC 2 evidence set.
Who Is Affected — SaaS and technology firms that rely on third‑party marketing or CRM integrations (e.g., Salesforce‑connected vendors).
Recommended Actions
- Conduct an immediate inventory of all OAuth tokens and third‑party integrations; rotate any that could be exposed.
- Map the incident to SOC 2 controls CC6.1 and CC6.2, capture token revocation logs as audit evidence, and update vendor risk assessments.
- Implement continuous monitoring of integration activity and enforce least‑privilege token scopes.
Technical Notes – The unauthorized activity originated from a compromised OAuth token in the Klue‑Salesforce integration layer. No malware or vulnerability exploit was reported; the breach leveraged stolen credentials. Affected data included Salesforce contact fields and limited contract information. Source: Recorded Future Blog