In June 2026, a credential theft campaign targeting Klue, a market intelligence SaaS platform, exposed OAuth tokens held on behalf of hundreds of enterprise customers. The attack gave a single threat actor persistent, authenticated access to customer Salesforce environments — including LastPass, Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity — without ever breaking authentication. This is the Klue supply chain breach, one of the most significant OAuth supply chain incidents of 2026.
What Happened
On 12 June 2026, Klue was made aware of an incident in which an unauthorised actor had obtained OAuth tokens the platform held on behalf of its customers. Klue operates as a competitive intelligence tool, integrating with Salesforce and Gong to surface deal intelligence and market data. As part of that integration, Klue stores OAuth tokens that grant it delegated access to customer CRM environments.
The attacker used those stolen OAuth tokens to access customer data within connected Salesforce environments. Klue’s own systems confirmed that the breach had broad impact across many of its enterprise customers.
The breach timeline is as follows:
- June 12, 2026: Klue identifies the incident and notifies affected customers including LastPass
- June 12, 2026: LastPass launches its own investigation and confirms its Salesforce environment was accessed
- June 12-19, 2026: Multiple confirmed victims publish breach notifications including Huntress, Recorded Future, and others
- June 19, 2026: Salesforce disables the Klue Battlecards integration platform-wide during investigation
- June 2026: CrowdStrike engaged for incident response across multiple affected organisations
The data accessed across victim organisations was limited to CRM content: customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related records. No vault data, passwords, or financial credentials were confirmed compromised in any of the disclosed incidents.
How It Happened
The breach origin traces to a legacy credential that had never been audited or rotated. Klue held long-lived OAuth refresh tokens for hundreds of its customers as part of its standard integration architecture. When an attacker compromised those stored tokens — through means that were not fully disclosed at time of publication — they inherited the delegated access those tokens represented.
The attack exploited three structural failures that are endemic to modern SaaS integration architectures:
- Stale OAuth token storage: Klue held OAuth refresh tokens that persisted well beyond the conditions under which they were originally approved. Tokens that should have been scoped and short-lived were instead long-lived and broad.
- No rotation or expiry governance: Neither Klue nor its customers had a systematic process for auditing, rotating, or expiring the OAuth grants held by third-party integrations. The tokens remained valid and reusable indefinitely.
- Blast radius through integration trust: A single compromised credential at the integration layer gave the attacker authenticated access to multiple downstream customer environments simultaneously. One breach, hundreds of victims.
Impact
The confirmed victim list reads like a who’s who of enterprise security and technology companies: LastPass, Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity all confirmed their Salesforce data was accessed.
For LastPass specifically, the company confirmed that standard business contact information and CRM data was accessed, including customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related data. Crucially, LastPass confirmed that no products, services, or customer vaults were impacted, and that there was no evidence the attacker accessed any Gong-related data. Remediation steps included discontinuing all employee access to Klue, rotating the exposed API access tokens, and notifying law enforcement.
For the broader ecosystem, Salesforce’s decision to disable the Klue Battlecards integration platform-wide signals the severity of the incident. The attacker published indicators of compromise including four IP addresses and three email sender domains.
What This Means for NHI Governance
The Klue breach is a textbook demonstration of what the NHI governance community calls the SaaS integration trust problem.
OAuth tokens held by third-party SaaS platforms are non-human identities. They carry delegated authority to act on behalf of the organisations that granted them. They authenticate automatically, without human involvement, on every API call. And in most organisations, they are completely invisible to the IAM programme.
The Klue incident follows the same structural pattern as the Salesloft/Drift OAuth breach, the Sisense supply chain compromise, and the Snowflake credential theft campaign. In every case, the entry point was a non-human credential — a token, a key, an OAuth grant — that was:
- Held by a third party rather than the victim organisation
- Long-lived and never rotated
- Carrying broader permissions than the integration actually required
- Outside the visibility of the security team that would normally manage credentials
The Klue Battlecards integration is not unusual. Most organisations have dozens or hundreds of similar integrations, each holding OAuth tokens with standing access to production CRM, file storage, HR, and financial systems. Each of those tokens represents a non-human identity with a blast radius. Most are ungoverned.
Recommendations
- Audit all OAuth grants to third-party SaaS platforms. Most organisations have no inventory of which third-party applications hold OAuth tokens, what scopes those tokens carry, and when they were last reviewed. Build that inventory. It is the minimum viable governance posture.
- Implement OAuth token rotation and expiry policies. OAuth refresh tokens should not persist indefinitely. Work with integration vendors to enforce token expiry and require periodic re-authorisation.
- Apply least-privilege scoping to all integration credentials. A competitive intelligence tool does not need write access to your CRM. Every OAuth grant should be scoped to the minimum required for the integration to function.
- Treat third-party SaaS integrations as privileged NHIs. The Klue breach should be the end of treating SaaS integrations as low-risk configuration decisions. Every integration that holds a credential is a non-human identity with an attack surface.
- Monitor for anomalous OAuth token usage. Salesforce and most enterprise SaaS platforms provide API access logs. Unusual access patterns from integration credentials — unexpected source IPs, access outside business hours, bulk data exports — should trigger alerts.
How NHI Mgmt Group Can Help
Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.
Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.
Final Thoughts
The Klue supply chain breach is another entry in a pattern that is accelerating: attackers are targeting the integration layer, not the perimeter. The enterprise software ecosystem is built on OAuth delegation. Thousands of SaaS platforms hold tokens that grant them standing access to other platforms. That architecture creates a web of non-human credentials, most of which are invisible to the security programmes responsible for protecting the organisations they connect.
The breach should never have been possible. The tokens should have been scoped, rotated, and monitored. They were not. That gap is the lesson.
