216.73.216.133

Klue Integration Abused in Salesforce Data Theft | Threat Spotlight

· Published 18/06/2026 05:14

Export JSON

Essential information

Published
18/06/2026 05:14
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
api exfiltration crm data theft klue integration oauth abuse salesforce shinyhunters third-party integration unc6395
Related entities
2 indicators, 2 observables, 15 techniques (mitre)

Description

In June 2026, a compromised Klue competitive-intelligence platform integration was exploited to exfiltrate customer relationship management data from enterprise environments. Attackers authenticated through compromised Klue service accounts, generated OAuth tokens, and executed automated Python scripts to conduct bulk data extraction via REST API queries over approximately 24 hours. The activity included concentrated bursts of nearly a thousand queries within 15 minutes and sustained extraction windows exceeding 6 hours. This incident follows similar third-party OAuth-abuse campaigns targeting through Salesloft Drift and Gainsight integrations throughout 2025 and 2026. While the tactics resemble operations attributed to and UNC6395 threat groups, attribution remains uncertain. The initial access vector, full scope of exfiltration, and attacker intent are still under investigation, with no extortion demands observed to date.

External references