Klue Integration Abused in Salesforce Data Theft | Threat Spotlight
Essential information
- Published
- 18/06/2026 05:14
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- api exfiltration crm data theft klue integration oauth abuse salesforce shinyhunters third-party integration unc6395
- Related entities
- 2 indicators, 2 observables, 15 techniques (mitre)
Description
In June 2026, a compromised Klue competitive-intelligence platform integration was exploited to exfiltrate customer relationship management data from enterprise Salesforce environments. Attackers authenticated through compromised Klue service accounts, generated OAuth tokens, and executed automated Python scripts to conduct bulk data extraction via Salesforce REST API queries over approximately 24 hours. The activity included concentrated bursts of nearly a thousand queries within 15 minutes and sustained extraction windows exceeding 6 hours. This incident follows similar third-party OAuth-abuse campaigns targeting Salesforce through Salesloft Drift and Gainsight integrations throughout 2025 and 2026. While the tactics resemble operations attributed to ShinyHunters and UNC6395 threat groups, attribution remains uncertain. The initial access vector, full scope of exfiltration, and attacker intent are still under investigation, with no extortion demands observed to date.