According to investigations, the compromise began when attackers gained access to Klue backend systems and deployed code capable of harvesting OAuth tokens used by customers to integrate Klue with third-party platforms such as Salesforce, Gong, SharePoint, HubSpot, Slack, and others. Huntress reports that the initial intrusion leveraged a long-unused but still-active credential originally created for a discontinued integration project. After gaining access to Klue's environment, the attackers extracted customer OAuth credentials and used them to authenticate directly to customer environments.
The attackers primarily targeted Salesforce environments, generating OAuth tokens and conducting large-scale automated data collection through the Salesforce REST API. Observed activity included extensive use of /services/data/v59.0/query and /services/data/v59.0/sobjects endpoints, repeated pagination requests, and automated querying using Python-based tooling. In some environments, nearly 1,000 API queries were executed within a 15-minute period, while other exfiltration operations continued for several hours. Stolen data reportedly included CRM records, customer contact information, pricing information, sales communications, and related business intelligence data. No evidence currently suggests compromise of customer credentials, payment data, security telemetry, or product infrastructure.