Salesforce has disabled the connection between its platform and Klue Battlecards after a security incident involving the abuse of OAuth tokens. The company took the action as a precautionary measure after investigators discovered that attackers had used a compromised Klue integration to access customer data stored in Salesforce environments. Reports indicate that the issue was linked to a third-party application and not to a vulnerability in Salesforce itself.
According to security researchers, attackers gained access through compromised Klue service accounts connected to Salesforce. Using OAuth tokens generated through those accounts, they were able to authenticate and interact with Salesforce APIs without needing Salesforce usernames or passwords. This allowed them to retrieve information directly from affected customer environments.
Researchers observed that the attackers used automated scripts to collect large volumes of CRM data. The activity included querying Salesforce objects and retrieving records through the Salesforce REST API over an extended period. In some cases, investigators detected a burst of hundreds of queries in a short time frame, suggesting an effort to rapidly extract information before detection.
The incident was first identified by cybersecurity firm ReliaQuest, which analyzed the attack activity and shared technical details. Investigators found evidence that the attackers leveraged trusted integration access rather than exploiting a software flaw. Because the OAuth tokens were already authorized, the malicious activity appeared similar to legitimate application traffic.
Salesforce responded by suspending all connections between Salesforce and the Klue Battlecards application. The company stated that the measure was designed to protect customers while the investigation continues. Salesforce also emphasized that the incident did not originate from a weakness in the core Salesforce platform but was associated with a connected third-party application.
Security experts say the attack highlights the growing risks associated with OAuth-based integrations. Once granted, OAuth tokens can provide long-term access to connected systems. If attackers obtain those tokens, they may be able to access sensitive business information without triggering traditional authentication controls such as passwords or multi-factor authentication challenges.
The Klue incident is also part of a broader trend involving attacks against trusted SaaS integrations. Similar campaigns in recent years targeted other Salesforce-connected applications, showing how attackers increasingly focus on third-party services as a path into valuable business environments. These incidents demonstrate that the security of connected applications can directly affect the security of customer data.
Organizations that use Salesforce integrations are being advised to review connected applications, monitor OAuth activity, and revoke access that is no longer required. Security teams are also encouraged to audit service accounts and investigate unusual API activity. The incident serves as another reminder that third-party integrations can become a critical security risk when trusted access is abused by attackers.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
