What Happened

On June 11, 2026, the Klue competitive intelligence platform was compromised in a SaaS supply chain attack attributed to a cybercrime group identified as Icarus. Attackers harvested OAuth tokens used by Klue’s Battlecards app to connect customer Salesforce environments, then deployed automated scripts via the Salesforce REST API to bulk-extract CRM data, bypassing MFA and traditional login security. Stolen data is now being used in an active extortion campaign. Salesforce has since suspended the Klue integration footprint across its ecosystem.

Why It Matters for Higher Education

Salesforce is widely used across higher education for admissions, advancement, alumni relations, and student success. A breach of any connected third-party application can expose prospective and current student data (FERPA-protected), donor records and gift histories, constituent contact information, and financial aid context. The attack technique bypasses the user-focused controls institutions have invested in, OAuth tokens are non-human identities, MFA is not challenged, and bulk API exports resemble normal integration traffic. This is the third major Salesforce integration breach in the past year, following Salesloft Drift and Gainsight.

Recommended Actions

Immediate (48 hours)

  • If using Klue: treat environment as potentially compromised
  • Revoke and rotate all OAuth tokens, refresh tokens, and service account credentials tied to Klue
  • Terminate active integration sessions and non-human identity logins in affected Salesforce orgs
  • Review Salesforce REST API and Event Monitoring logs from June 11, 2026 forward for bulk export activity

Near-Term (1-2 Weeks)

  • Inventory every OAuth-connected app across all Salesforce orgs (admissions, advancement, departmental)
  • Revoke connected apps that are unrecognized, unused, or unowned
  • Tighten OAuth scopes to least privilege, most integrations are over-permissioned at install
  • Enable Salesforce Event Monitoring (Shield) and feed events to your SIEM

Strategic (Next Quarter)

  • Implement IP allowlisting for high-value Salesforce integrations
  • Update vendor risk questionnaires to address OAuth token handling, API monitoring, and notification timelines
  • Brief advancement and admissions leadership on SaaS supply chain risk
  • Document FERPA and state breach-notification readiness for SaaS-originated incidents
  • Confirm cyber insurance coverage for third-party SaaS supply chain incidents

How Ferrilli Can Help

Salesforce Integration Assessment full inventory of connected apps and review of OAuth scopes. SaaS API Monitoring Implementation. Event Monitoring Enablement and SIEM integration. Vendor Risk Program Review, questionnaires, contract language, and ongoing oversight aligned to SaaS supply chain risk. IR Tabletop Exercise, a facilitated tabletop focused on the SaaS supply chain breach scenario. For more information, please reach out to Ferrilli at gethelp@ferrilli.com.