Salesforce OAuth Breach: Klue App Integration Takedown & Token Abuse
Has anyone else dug into the Salesforce alert about the Klue Battlecards integration? Salesforce forced a disable on June 11 due to confirmed OAuth token abuse. It’s a harsh reminder of the blast radius when SaaS apps have long-lived access tokens.
The core issue seems to be that the Klue integration was used as a pivot to exfiltrate customer data. If you have this installed, your connection is dead until further notice. More importantly, we need to verify if data was accessed before the kill switch.
I recommend auditing your connected apps immediately. You can use SOQL to identify what’s installed, but checking the OAuthToken usage logs is where the real forensics are.
Here’s a quick SOQL query to check installed connected apps in your org:
soql
SELECT Name, CreatedDate, LastModifiedDate, IsActive
FROM ConnectedApplication WHERE Name LIKE '%Klue%'
And if you want to pull down the raw event logs for forensic analysis (using the Salesforce REST API via Python), keep an eye on event type UserLogin or specific API usage anomalies:
import requests
# Pseudocode for checking event logs
sf_url = "https://yourinstance.my.salesforce.com/services/data/v61.0/query"
query = "SELECT EventDate, Username, Application FROM EventLogFile WHERE Application = 'Klue'"
# ... execution details ...
Are you guys revoking all third-party tokens now, or just the ones explicitly mentioned in the advisory?
We’re treating this as a potential supply chain breach. If the token abuse originated from the vendor's side, they might have had their OAuth client secret compromised. We revoked all sessions for the specific connected app user immediately. In our SIEM, we started hunting for LoginAsUser events associated with the Klue integration ID. Anyone else seeing IoCs related to this, or is Salesforce keeping the specific indicators close to the chest?
This highlights why we restrict scopes so aggressively. If that app had full access instead of just read on specific custom objects, the impact is massive. I’m running a PowerShell script against our Salesforce metadata to check for connected apps that haven't been used in 90 days. If you haven't used it, lose it.
# Simple check for stale apps logic
Get-SalesforceConnectedApp | Where-Object { $_.LastUsedDate -lt (Get-Date).AddDays(-90) } | Remove-SalesforceConnectedApp
To establish a timeline of the abuse, don't just look at current sessions. You should query historical event logs for the specific Client ID associated with Klue to spot bulk export activity prior to June 11. Using the CLI is the fastest way to audit this without downloading log files:
sfdx force:data:soql:query -q "SELECT Application, EventDate, Status FROM ApiEvent WHERE Application LIKE '%Klue%' AND EventDate = LAST_N_DAYS:30"
This helps verify if data was actually exfiltrated before the kill switch.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access