Salesforce has confirmed it disabled the Klue Battlecards app integration within its platform following a security incident that exposed customer data, according to disclosures published June 19, 2026. The platform stated that organizations will be unable to connect to Salesforce via the Klue app until further notice while the investigation and remediation are underway.
Background
Klue is a competitive intelligence platform used by enterprise sales, product, and marketing teams to track competitor activity. Its Salesforce integration allows Klue to pull and push competitive battlecard data directly into CRM records, making it a high-value connector in sales-heavy organizations.
The incident originated on June 11, 2026, when unauthorized access was detected within Klue's environment. Attackers leveraged OAuth tokens associated with Klue's Salesforce app integration to query and exfiltrate data from downstream customer CRM tenants.
Salesforce's Response
Salesforce moved to disable the Klue Battlecards Connected App globally across its platform as a precautionary measure, effectively revoking the OAuth access path that attackers exploited. The company stated in its disclosure:
"Salesforce has disabled the Klue Battlecards app integration within our platform in response to a security incident impacting Klue on June 11, 2026. Organizations will be unable to connect to Salesforce via the app until further notice."
The platform indicated it is working with Klue on a remediated integration path, though no timeline for restoration has been announced. Affected customers are being notified through standard Salesforce communication channels.
What Data Was Exposed
The scope of data exposure depends on what each affected organization had stored in or accessible via their Salesforce CRM at the time of the incident. CRM systems typically contain:
- Customer and prospect contact records (names, email addresses, phone numbers)
- Sales pipeline and opportunity data
- Account relationship history
- Internal notes and activity records tied to accounts
- Custom fields that may include deal terms, pricing, or contract details
For organizations in the security industry — including Huntress and Recorded Future, both confirmed as affected — CRM data may additionally include information about security service contracts, incident response engagements, or customer vulnerability context.
Technical Mechanism: OAuth Token Abuse
The attack exploited a well-documented weakness in the OAuth 2.0 authorization model as implemented in SaaS-to-SaaS integrations:
When Klue's Salesforce integration was provisioned by each customer, Salesforce issued an OAuth access token (and typically a refresh token) granting Klue API access to that customer's org. These tokens are stored in Klue's infrastructure to enable the ongoing sync of competitive intelligence data.
When attackers compromised Klue's environment, they gained access to these stored tokens. Using the tokens, they could make direct API calls to the Salesforce orgs of Klue's customers — authenticated as the Klue application, not as any individual user. This bypasses MFA, as MFA is a user authentication control, not an application token control.
The attack is silent from the Salesforce customer's perspective: the API calls originate from a trusted, pre-authorized application identity.
Indicators and Detection
Organizations that had the Klue Salesforce integration active should review their Salesforce Event Monitoring logs for:
- High-volume API queries from the Klue Connected App identity in the June 11–19 timeframe
- Unusual query patterns (large record set pulls, queries spanning multiple object types simultaneously)
- API access occurring outside normal business hours
For Salesforce orgs with Event Monitoring enabled (a Platform license feature), these logs can be queried directly. For orgs without Event Monitoring, Salesforce Support may be able to assist with log retrieval.
Recommended Actions
Immediate:
- Confirm your organization's Salesforce instance had or has a Klue Battlecards Connected App by navigating to Setup > Connected Apps OAuth Usage
- If present (even in a disabled state post-Salesforce action), revoke the associated OAuth tokens under Setup > OAuth and OpenID Connect Settings > OAuth Token
- Pull Salesforce Event Log file data (if available) for API access events in the June 11–19 window
Short-term:
- Notify your legal or privacy team if customer PII is stored in Salesforce — breach notification obligations may apply depending on jurisdiction
- Conduct a broader audit of all Connected Apps in your Salesforce environment; remove any apps not actively in use
- For any third-party integration granted broad CRM access, review and restrict permissions to the minimum scope required
Broader Implications
The Klue incident is the latest in a pattern of CRM supply chain attacks tracked through 2026. The Icarus campaign, linked by researchers to the Klue breach, has previously targeted SaaS vendors with broad Salesforce integrations as an efficient path to high-value customer data across multiple victim organizations simultaneously.
The economics are straightforward for attackers: compromising one mid-tier SaaS vendor can yield access to dozens or hundreds of downstream enterprise CRM environments. This makes the SaaS integration layer a high-return target that security teams are still learning to monitor effectively.
As enterprise software ecosystems become more interconnected, the security posture of every vendor in the SaaS stack becomes part of the enterprise's own security posture. The Klue incident is a clear reminder that OAuth access grants made during SaaS onboarding carry ongoing risk that doesn't expire when the employee who set up the integration moves on.