Immediate action required. A threat actor compromised Klue's Salesforce integration and used it to conduct bulk CRM data exfiltration across multiple enterprise environments. The attacker used Klue's stolen OAuth tokens to authenticate as the Klue integration account and issue mass queries against Salesforce CRM records. Login activity was generated, but from infrastructure entirely inconsistent with Klue's legitimate footprint. The account name varies across customer environments. This is not a Salesforce vulnerability. It is a SaaS supply chain access violation: a legitimate integration, abused.
ReliaQuest discovered the activity and notified Klue. Klue has begun contacting affected customers but has not issued a public advisory. Four enterprise tenants have been confirmed impacted.
If your organization has Klue connected to Salesforce, you need to act now.
The attack exploited something that security teams rarely scrutinize: an OAuth token.
OAuth tokens are how SaaS integrations authenticate. When your team connects Klue to Salesforce, Salesforce issues Klue an OAuth token that says: this integration is trusted, here is what it can access, go ahead. That token persists. It works silently in the background. And until it's revoked, it grants access regardless of whether the person or system using it is actually Klue.
When the attacker gained access to Klue's OAuth tokens, they didn't need a password, an MFA code, or a phished employee. They had the token. From Salesforce's perspective, that token is Klue. So access was granted and CRM records were queried at scale. Login activity did occur, but it came from infrastructure with no connection to Klue's legitimate environment. That infrastructure anomaly is where the attack becomes visible.
This is the OAuth risk at the core of every SaaS integration in your environment. We've written about how OAuth tokens work and where they go wrong, and why they're increasingly the attack surface threat actors are targeting.
SaaS supply chain breaches are accelerating. Threat actors have shifted from targeting individual organizations to targeting the SaaS vendors those organizations trust, because compromising one vendor means access to hundreds of enterprise environments at once.
Klue is the latest example. It's a competitive intelligence platform with routine, trusted, scoped access to Salesforce CRM data across hundreds of enterprise customers. That's precisely what makes it a target. One compromised OAuth token. Hundreds of potential blast radiuses.
The data extracted (account records, contact information, opportunity details) doesn't just have value in isolation. It enables downstream attacks: targeted phishing against the contacts in that CRM, intelligence on deal cycles and competitive positioning, and access paths into adjacent systems.
The Okta support system breach in 2023. CircleCI. Salesloft-Drift into Gainsight. Now Klue into Salesforce. The pattern is consistent: find the integration with the most data access and the least scrutiny, and use it.
This is precisely the class of access violation Obsidian was built to surface.
Full SaaS integration inventory: see every OAuth app connected to Salesforce, the scopes it holds, and every user who authorized it. Klue's integration scope and what it could access is visible immediately without waiting for a vendor advisory.
ISP deviation detection: the Klue integration account has a predictable infrastructure footprint. When activity starts routing through unexpected hosting providers, that deviation is the detection signal. Obsidian can query it across your environment.
Blast radius mapping: understand exactly which tenants had Klue connected to Salesforce during the attack window and what data the integration had access to.
OAuth token revocation: revoke the Klue OAuth token across all users and tenants from one place, without manual Salesforce admin work.
Persistence detection: check whether the attacker used the session to create new OAuth applications, add admin accounts, or plant webhooks before access was cut off.
That's the difference between a generic vendor advisory telling you to check your logs and having continuous access governance that tells you exactly what your integrations were doing, and from where.
Klue had legitimate access to your Salesforce CRM. So did the attacker, the moment that OAuth token was compromised.
This is the SaaS supply chain access problem in its clearest form: the attack doesn't breach your perimeter, your identity provider, or your network. It walks in through a trusted integration that your security team approved, scoped, and largely forgot about.
Would you know where risky access paths exist in your SaaS environment before a vendor advisory tells you to look?
In the wake of the Salesloft breach, we’re offering a free risk assessment of your Salesforce environment to help identify potential exposure. Click here to request yours.
Take a breather! In under 6 minutes, our demo breaks down the risks AI agents bring to your SaaS environment and how you can get ahead of them.
We're offering a free AI agent risk assessment—check it out.
The biggest SaaS breach of 2025 started with a compromised third-party app. Attackers then exploited Salesloft-Drift OAuth tokens, which granted them access to hundreds of downstream environments. Obsidian researchers found the blast radius of this supply chain attack was 10x greater than previous incidents, where attackers infiltrated Salesforce directly.
Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.
