On June 12, 2026 Klue identified unauthorized activity affecting their integration infrastructure. The incident, best described as a SaaS supply chain compromise, used long-lived OAuth tokens to connect to Klue customer instances.
According to current public analysis, the incident doesn’t appear to be tied to any Salesforce core-platform vulnerabilities. At the time of writing, Salesforce has disabled connections to Klue’s Battlecards app to prevent further impact.
The prior Salesloft Drift incident follows a similar chain of events, with both incidents involving the abuse of trusted third-party OAuth integrations.
Google’s Threat Intelligence group reported that UNC6395 utilized the same tactics when compromising Salesloft Drift instances to access Salesforce customer instances. The compromise resulted in large volumes of data exfiltration roughly between August 8 and August 18, 2025.
While nothing has been verified at the time of writing, there is a strong connection between both incidents and TTPs present.
How the Klue compromise happened
Based on publicly available reporting, the attackers obtained initial access to Klue through compromised legacy credentials tied to service accounts. Adversaries pivoted to Klue’s integration infrastructure with the goal of collecting customer OAuth tokens through token-theft code.
With the ability to harvest OAuth tokens, Klue’s customer(s) instances could be reached, including SaaS platforms such as Salesforce. Once successfully authenticated on customer instances, attackers can abuse trusted integrations, identify additional SaaS environments, and begin preliminary stages of data exfiltration.
Attackers were observed utilizing automated REST API calls enumerating Salesforce objects, querying records, and extracting CRM records.
The breach was initially being attributed to ShinyHunters, UNC6395, however, it’s now attributed to a new threat actor, Icarus. Icarus has already posted on their dedicated leak site (DLS) with a brief description of the situation and claiming the data is “borrowed – not stolen.”
Organizations and their partners should maintain a high level of vigilance in the coming days and weeks as uninformed and/or unsuspecting organizations may still fall victim to additional campaigns.
Threat actors may abuse data in their possession to conduct highly sophisticated phishing campaigns, elaborate social engineering campaigns, and potential invoice scams.
Mitigations
- Revoke current OAuth tokens and refresh tokens associated with Klue or Klue–connected apps. Do not treat standalone password resets as sufficient.
- Rotate service account credentials, including connected app secrets, API keys, and sensitive credentials associated with Klue, preventing downstream incident(s).
- Disable, quarantine, or strictly monitor Klue integrations for ownership details, scope of the account(s), suspicious account activity, and any third-party or vendor activity.
- Revoke active sessions and audit Salesforce instances, review event monitoring, request vendor logs, and harden any connected app(s) that are business essential.
How ThreatLocker can help
Zero Trust Cloud Access (ZTCA) restricts access to SaaS applications to approved devices. This would have stopped attackers from being able to use stolen credentials or replay stolen tokens to gain access to Klue’s cloud environment.
Additionally, it’s believed that the attackers pushed code to Klue’s servers to collect OAuth tokens used by their customers. ThreatLocker Application Allowlisting could have blocked the unapproved code from executing while Ringfencing™ would have contained what it could access and stopped it from exfiltrating customer tokens.
IOCs
IP addresses and Domains
138[.]226[.]246[.]94
212[.]86[.]125[.]24
213[.]111[.]148[.]90
94[.]154[.]32[.]160
house[.]com[.]au
robinskitchen[.]com[.]au
baccarat[.]com[.]au
gofile[.]io – Legitimate service; however, can be used maliciously for data exfiltration
Salesforces REST path
/services/data/v59.0/sobjects
/services/data/v59.0/query
/services/data/v59.0/query/<STRING>
User-Agent
Python-urllib/3.12
Python-urllib/3.14
blank / empty
5238
Email/Extortion phrase
top secret email
Your data has been downloaded
your data was exfiled due to a breach happening to your partner, Klue.com (ask them)
