Attackers used a compromised Klue integration to steal Salesforce CRM data from enterprise environments, ReliaQuest said, in a pattern similar to earlier attacks on Salesforce-connected software.
The attacker authenticated to Klue integration service accounts, generated OAuth tokens and used automated scripts to extract large volumes of records through the Salesforce REST API. In some cases, the activity lasted about 24 hours, including one burst of nearly 1,000 queries in 15 minutes and another extraction window of more than six hours.
Klue is a competitive-intelligence platform that synchronises battlecard and win-loss data with Salesforce. The amount and type of CRM data exposed would depend on how each integration was configured and what access it had been granted.
Attack pattern
According to ReliaQuest, the attacker first enumerated an organisation's object catalogue, then repeatedly queried the Salesforce endpoint and paged through results. The scripts were identifiable by Python-urllib user-agent strings, indicating automated rather than routine integration traffic.
The behaviour resembles a broader wave of attacks on the Salesforce ecosystem through third-party integrations. Earlier incidents involving Salesloft Drift and Gainsight also relied on trusted software connections and OAuth access to reach customer data, rather than compromising employee accounts directly.
There is not yet enough evidence to attribute the Klue-related activity to a known threat group. Previous attacks affecting Salesforce and connected vendors have been linked publicly to ShinyHunters and UNC6395, but ReliaQuest said it could neither confirm nor rule out their involvement here.
Attribution questions
ReliaQuest compared the activity with two established attack tracks. In one, ShinyHunters used voice phishing to persuade staff to authorise a malicious connected app before extracting Salesforce data for extortion. In another, UNC6395 was linked to the theft of OAuth refresh tokens from the Salesloft Drift integration, which were then used to query Salesforce data across hundreds of organisations.
The latest activity follows the same broad method of abusing OAuth credentials from a trusted third-party service, but differs in some technical details. ReliaQuest noted that UNC6395 previously used user-agents including python-requests, Salesforce-CLI and Salesforce-Multi-Org-Fetcher, often through Tor, while the Klue-related activity used a generic Python-urllib user-agent and data-centre hosting.
No extortion demand or leak-site posting has been observed so far. The full scope of the theft, the initial access route and the attacker's intent remain under investigation.
Defensive steps
For companies using Klue or similar Salesforce-connected applications, ReliaQuest urged an immediate review of credentials and access controls. Organisations should revoke and rotate passwords, refresh tokens, client secrets and active OAuth grants tied to integration accounts, rather than relying on a password reset alone.
ReliaQuest also urged defenders to examine Salesforce API activity for unusual query volume, repeated pagination through large result sets, Python-urllib user-agent strings and access from unfamiliar IP addresses. Third-party integration accounts and connected apps should be restricted to approved infrastructure through IP allowlisting, with the same controls applied to SIEM and SOAR interfaces.
The warning highlights a broader issue across corporate software estates. Third-party software integrations often hold persistent access to sensitive systems as non-human identities, yet they may be monitored less closely than employee accounts or endpoint activity.
That creates a gap attackers can exploit if they obtain valid credentials or tokens. Because the access appears to come from a trusted service, high-volume API activity may blend in with normal application traffic unless organisations are specifically looking for anomalies in behaviour, source infrastructure or data-retrieval patterns.
One unresolved line of inquiry involves reports that the attacker queried a target environment's own detection tooling. ReliaQuest said it has not independently verified that activity, though it noted that the source IP address belongs to the same virtual private server provider used in the confirmed Salesforce data theft.
Several questions remain open, including which Salesforce objects were taken and how many records were affected. ReliaQuest has also not determined whether the Klue service account and OAuth tokens were stolen on the vendor side, exposed through the customer environment or obtained by some other means.
"Trusted third-party integrations are among the least-watched paths to an organization's most sensitive data," ReliaQuest said.