Salesforce Disables Klue Integration After OAuth Data Exposure Incident

Salesforce has disabled the integration with the third-party application Klue Battlecards following a security incident that may have led to the exposure of customer CRM data. This incident, detected by cybersecurity firm Reliaquest, bears resemblance to previous OAuth-abuse campaigns targeting Salesforce and other SaaS platforms.

Incident Overview

Klue, an AI platform for competitive intelligence, utilized an integration with Salesforce to streamline CRM usage and facilitate the adoption of sales battlecards. The breach involved attackers compromising the Klue integration service accounts, generating OAuth tokens, and subsequently using automated REST API queries to exfiltrate CRM data. Accessible data types included account records, contact details, deal outcomes, and pricing, contingent on the integration's defined scope.

Reliaquest observed activity resembling prior third-party OAuth-abuse campaigns, though the specific threat actor remains unidentified at this time. The extraction process involved a sustained period of elevated REST API query volume over approximately 24 hours.

Technical Details of the Attack Vector

Attackers leveraged OAuth tokens to authenticate into the Klue integration service accounts. Once authenticated, they could execute automated scripts to perform large-scale data extraction from Salesforce via the REST API. This bypasses typical security controls by operating through a trusted, pre-authorized connection.

Salesforce has explicitly stated that the issue is limited to Klue's application connection and does not stem from a vulnerability within the Salesforce platform itself. This reinforces the importance of adopting Zero Trust principles, where trust is never assumed, regardless of network location or application status.

Salesforce's Response

Salesforce took immediate action by disabling the connection between Klue Battlecards and Salesforce. This measure prevents further unauthorized access through this specific integration. The company is working directly with affected customers and Klue to investigate and mitigate the impact.

Recommended Security Posture

In light of this incident and similar past events, organizations are strongly advised to implement the following security measures:

• Revoke and Rotate Credentials: Immediately revoke and rotate all credentials and OAuth tokens, including refresh tokens, for any Salesforce-connected third-party integrations.
• Scope API Access: Restrict API access for all third-party applications to the absolute minimum necessary permissions (least privilege).
• Inventory and Monitor Integrations: Maintain a comprehensive inventory of all third-party applications with OAuth access to your Salesforce environment. Continuously monitor these integrations for unusual activity.
• Implement Zero Trust: Adopt a Zero Trust security model, assuming no implicit trust for any user, device, or application.

Reliaquest predicts that the OAuth-abuse playbook will continue to be effective and widely adopted by threat actors, suggesting repeat attacks are likely.

Key Takeaways

• Salesforce disabled the Klue Battlecards integration due to an OAuth security incident leading to potential CRM data exposure.
• The attack utilized compromised OAuth tokens and automated REST API queries, bypassing typical security layers.
• Salesforce asserts the vulnerability is within the third-party app's connection, not the Salesforce platform itself.
• Recommended actions include revoking/rotating OAuth tokens, scoping API access, and maintaining strict oversight of third-party integrations.