Responding to the Klue Incident:
Practical Steps to Audit and Harden Your Integrations

Overview

A supply chain attack against competitive intelligence platform Klue led to unauthorized access to Salesforce data belonging to a number of Klue customers. On June 11-12, 2026, a threat actor used a compromised legacy credential to access Klue’s integration infrastructure and harvest OAuth tokens that customers had authorized for connected platforms, including Salesforce.

Those tokens were then used to query and exfiltrate CRM data via the Salesforce REST API. The activity was limited to connected third-party platforms; there is no evidence that content stored within the Klue platform itself was affected.

eSentire uses Klue and was among the organizations whose Salesforce data was accessed. Our exposure was minimal. The Klue integration was tightly scoped and locked down, with restricted OAuth permissions and a limited connected-app footprint, which materially constrained what data was reachable.

Our Threat Response Unit (TRU) and Cyber Security Investigation teams continue to monitor this incident, and we are providing the recommendations below to customers and partners who also use Klue.

Even where Klue is not part of your managed log support with eSentire, our 24/7 SOC Analysts and Incident Response teams are available to assist. We will keep you informed of any further developments.

Klue Breach Remediation Recommendations 

If you use Klue, eSentire recommends the following to support scoping and remediation. We can help you work with Salesforce support to identify the specific queries executed during the compromise, so you can assess the data accessed and any associated risk or privacy concerns.

• Revoke all Klue OAuth tokens across every connected platform, not Salesforce alone (the incident also affected HubSpot, Microsoft SharePoint, Zoom, Google Drive, Gong, and others).
• Audit setup and change logs to confirm no unauthorized changes were made.
• Review and restrict Connected App permissions, removing any overly broad OAuth scopes.
• Review Salesforce for unencrypted secrets or tokens; revoke and rotate any that exist.
• Rotate any AWS access keys, Snowflake credentials, or third-party API keys that were stored in Salesforce.
• Audit and document all third-party apps connected to Salesforce, not just Klue, and enable IP restrictions on Connected Apps.
• Reset passwords for all Salesforce admin and integration users, using long, complex passphrases, and enable MFA for all admin accounts (ideally all users).
• Remove “API Enabled” from standard profiles, granting it only to authorized users via specific permissions, and configure session timeouts to limit any compromise window.

Best Practices for Hardening Integrations After Token Revocation 

After revoking OAuth tokens, the following practices help protect systems and data from unauthorized access as integrations are restored.

1. Pre-Reconnection Security Assessment

Complete Security Audit

• Verify all malicious tokens are fully revoked and confirm threat actor eviction from all systems.
• Review all connected app configurations for security gaps and audit user permissions and access levels.

Strengthen Base Security Controls

• Enforce MFA for all users and implement IP restrictions and login ranges where possible.
• Review and tighten password policies and enable session security policies with appropriate timeouts.

2. OAuth Integration Hardening

Connected App Configuration

• Set the “Permitted Users” policy to “Admin-approved users are pre-authorized.”
• Create dedicated integration users with minimal required permissions and use one connected app per integration for better auditability.
• Enable only the OAuth scopes required, following the principle of least privilege.

Token Management

• Store tokens in secure platform-appropriate systems (Keychain, Credential Locker, etc.).
• Implement automatic token rotation, set shorter expiration times where feasible, and monitor token usage for anomalies.

3. Secure Reconnection

• Reconnect integrations in order of business criticality and test each in a sandbox first.
• Use a staged rollout (pilot users to full deployment) and monitor each integration for 24-48 hours before proceeding.
• Leverage introspection and revocation endpoints to validate tokens in real time and enable detailed audit logging and alerting for all OAuth activity.

Additional Security Measures 

Network and Access Controls

• Restrict API access to vendor servers using IP allowlists and ensure all integrations use HTTPS.
• Implement certificate pinning where possible and use private connectivity for sensitive integrations.

Vendor Security Validation

• Verify each vendor’s security certifications and review their OAuth implementation, token storage, and rotation practices.
• Request security attestations or audit reports.

Ongoing Security Maintenance

• Proactively remove unused connected apps rather than waiting for automatic deletion, and revoke tokens as soon as they are no longer needed.
• Conduct quarterly reviews of all active integrations and audit user permissions and access patterns.

Incident Response Engagement 

If you have determined, or believe, you are at risk of a breach, contact our 24/7 SOC at 1-866-579-2200.

If additional Incident Response support is needed, collect the following log sources for an efficient engagement. eSentire’s IR team uses this data to determine the scope of compromise, identify affected systems and accounts, and support legal and regulatory compliance.

• API Event Logs, Login Event Logs, and Login History
• Report Export events and SOQL Query Logs
• Setup Audit Trail and Connected App Audit Trail
• Identity Provider Logs and Network Logs (if available)
• Third-party integration logs (specifically Klue authentication activity)

Upon engagement, this data is used to determine the full scope of data compromise, identify all affected systems and accounts, document the attack timeline, recover evidence of exfiltration, identify exposed credentials, assess ongoing threat presence, and support compliance requirements.