Salesforce has disabled the Klue Battlecards integration after attackers abused it to reach customers' CRM data. No Salesforce vulnerability was involved — and that's exactly why this one is worth understanding.
What happened
As reported by The Hacker News, attackers compromised Klue (a competitive-intelligence app) through a long-disused but still-active legacy credential. They then harvested the OAuth tokens that Klue's customers used to connect it to platforms like Salesforce, HubSpot, SharePoint, Slack and Google Drive — and used those tokens to quietly pull large volumes of CRM data. No password, no MFA prompt, no phishing required. A newer extortion group calling itself Icarus has claimed the attack, with affected organisations reportedly including Huntress and Recorded Future. It follows the same pattern as a wave of similar SaaS supply-chain attacks over the past year.
Why it matters to you
If you use Salesforce, Microsoft 365 or any popular cloud platform, you've almost certainly clicked "allow" to connect third-party apps. Each of those connections holds a token that can read your data — and if the app vendor is breached, that token is the attacker's key. The trust you place in your software supplier becomes your risk.
What to do
- Audit your connected apps. In Microsoft 365, Google Workspace and Salesforce, review which third-party apps have access and remove ones you no longer use.
- Apply least privilege — only grant integrations the access they genuinely need.
- Rotate and revoke tokens periodically, and immediately if a vendor reports an incident.
- Adopt a "zero trust" mindset: nothing is trusted by default, inside or outside your network.
This is the kind of thing we review as part of a security health-check.
Worried about how any of this applies to your organisation? Get in touch and we'll talk it through — no jargon, no pressure.
Source: Salesforce Disables Klue App Integration After OAuth Token Abuse — The Hacker News