In a significant cybersecurity breach, cybercriminals have exploited a third-party SaaS integration to siphon off valuable CRM data from Salesforce platforms. The attackers targeted the Klue Battlecards integration, a tool used for competitive intelligence, which syncs critical business data with Salesforce. This breach enabled unauthorized access to CRM data including account records and contact details.

Salesforce responded by disabling the Klue integration and stated that the breach was not due to a flaw in their system, but rather due to compromised credentials in Klue's service accounts. Attackers used these credentials to generate OAuth tokens and employ automated scripts to extract data through Salesforce's REST API.

Although the specific threat actors behind the attack remain unidentified, the methodology resembles past incidents linked to groups like ShinyHunters and UNC6395. However, there are notable differences such as the use of generic user-agent strings and data-center hosting. Currently, no extortion attempts or data leaks have been reported.

This incident underscores the inherent risks in third-party SaaS integrations, which often possess extensive API access to sensitive information. These integrations, due to their trusted status, can bypass typical security alerts and remain undetected as they query data continuously.

To mitigate such risks, organizations are urged to reassess their third-party app grants and OAuth tokens. The ongoing threat landscape indicates a high likelihood of continued attacks on Salesforce-connected integrations through 2026, as these methods prove to be both effective and widely adopted.