The breach came through an app the company plugged in itself

Cybersecurity 4 min 35 sources

Attackers stole data from Salesforce customers — including a security firm — by hijacking a connected third-party app, the third such app abused this way. Plus a wave of critical patches and a major botnet takedown.

Key takeaways

Attackers stole data from Salesforce customers, including a security firm, by hijacking a connected third-party app called Klue — the third app abused this way, using stolen access keys rather than breaking in directly.
A leaked GitHub token gave attackers a foothold at drugmaker Novo Nordisk the same week, showing the same pattern: the stolen key to a connected system is the new front door.
A wave of critical patches landed (F5 NGINX, Cisco, Splunk), and an international coalition dismantled the long-running SocGholish botnet, cleaning up nearly 15,000 infected sites.

A data theft hit a string of companies this week, and none of them were actually hacked. The way in was an app they had each chosen to plug into their systems.

The trusted app that wasn’t

On June 17, Salesforce — the company whose software many businesses use to store customer records — suspended a third-party app called Klue Battlecards after spotting unusual activity [1]. Attackers had used Klue’s connection to reach into customers’ Salesforce data and copy it out. Salesforce was careful to say the flaw was not in its own platform — the door was the app the customer had connected [1].

Here is how that door works. When you connect an outside app to a service like Salesforce, you don’t hand it your password. You hand it an OAuth token — a digital key that lets the app keep reaching your data without asking again [1]. It’s convenient, and it’s the whole risk: steal the app’s key, and you walk straight into everyone’s data the app was connected to.

That’s what happened. Researchers at the security firm ReliaQuest found the attackers logged in through a compromised Klue service account, minted OAuth tokens, and pulled data out through Salesforce’s normal interface [1]. One environment saw “a concentrated burst of nearly a thousand queries in 15 minutes,” with data flowing out for more than six hours [1]. To Salesforce’s systems, it looked like a trusted app doing its job.

Klue is the third connected app abused this way against Salesforce customers, after earlier compromises of apps called Salesloft Drift and Gainsight [1]. The victims include Huntress, itself a cybersecurity vendor, which confirmed attackers copied its data [1]. If a security company can be reached through an app it trusted, the lesson isn’t about one weak vendor — it’s about the connection itself.

The angle. If you run a business on a platform like Salesforce, the question isn’t only “is my account secure?” It’s “what apps have I connected, and what can each one reach?” Every integration is a key handed out. Review which apps still have access, and revoke the ones you no longer use.

The same shape, one week earlier

A different breach this month rhymes with it. Novo Nordisk — the Danish drugmaker behind Ozempic and Wegovy — disclosed on June 11 that attackers got an initial foothold using a single leaked GitHub access token: a key that lets software talk to a code repository without a password [2]. From there they reached clinical-trial data including patient IDs, dates of birth, and health markers [2]. Different platform, same mechanism — a stolen key to a connected system, no front-door break-in required.

A heavy week for patches

Several widely used products shipped fixes for serious flaws, the kind worth applying quickly because attackers read the same advisories.

F5 patched critical and high-severity flaws in NGINX, software that sits in front of a huge share of the world’s websites directing traffic [3].
Cisco fixed a critical command-execution flaw in ISE, a system many organisations use to decide who gets onto their network [4].
Splunk patched a critical bug (CVE-2026-20266, severity 9.1 out of 10) in its AI Toolkit that let an admin-level user run commands on the underlying machine [5]. A CVE is just the public ID number a flaw gets so everyone can track the same fix.

None of these are consumer products, but the businesses you rely on run them. The fix only protects you once it’s installed — and the gap between a patch being released and being applied is exactly the window attackers aim for.

A botnet pulled apart

Some good news. On Thursday, a coalition from the US, Canada, Germany, the Netherlands and Europol disrupted SocGholish, malware tied to the cybercrime group Evil Corp that has been infecting websites and quietly redirecting visitors into traps since 2017 [6]. Investigators took down 106 servers and cleaned up nearly 15,000 infected sites [6]. SocGholish worked by hijacking ordinary websites and using them to slip malware onto visitors’ machines [6] — a reminder that a site you trust can be the thing that betrays you, and also that these networks can be taken apart.

The backdrop

The UK’s National Cyber Security Centre — the country’s cyber-defence agency — said this week that three-quarters of the cyber incidents hitting British critical infrastructure over the past year traced to nation-states or states like Russia, China and Iran [7]. The agency handled 200 such incidents between June 2025 and May 2026 [7]. Most of those never make a headline. The breaches that do — an app, a token, a leaked key — are the visible edge of a much larger, quieter contest.

02 · Lesson · why it matters

The keys you handed out, and the doors you forgot you'd opened

Your security isn't a wall around you — it's every key you've ever given to someone else, held in places you no longer watch.

A break-in where nothing was broken

The companies whose Salesforce data was stolen this week were not hacked. No password was guessed, no flaw in Salesforce was exploited. Each victim had, at some point, done something ordinary: connected a useful outside app to their account. That connection handed the app a key. When the app was compromised, the key was, too — and the attacker used it the way it was meant to be used.

This is a strange kind of breach. The lock held. The wall held. The intruder walked in through a door the owner had installed on purpose and then stopped thinking about.

Why the key exists at all

The key — an access token — solves a real problem. You want an app to work with your data without you typing your password every time it needs something. So you grant it a token: a standing permission that says this app may reach this data. It is pure convenience, and convenience is the point.

But notice the trade hidden inside it. A password is something you keep. A token is something you give away. Once it’s out, the app holds a piece of your access — and your security now depends on a place you don’t control. You didn’t make Salesforce weaker. You extended yourself into someone else’s building and left a key on their hook.

The risk moved to where no one is looking

Here is the part that makes this pattern dangerous rather than merely annoying. When you defend your own account, you watch your own account — logins, passwords, unusual activity. But the stolen key wasn’t used against the thing you watch. It was used through a connection that, to your systems, looked completely normal. A trusted app doing its job.

The attackers in the Salesforce case pulled out nearly a thousand records in fifteen minutes, then kept going for six hours, and it blended in. Of course it did. The traffic carried a legitimate key. You don’t notice a guest who arrived with an invitation you signed.

The risk didn’t disappear when you handed out the token. It moved — out of the room you guard and into a room you forgot you had a door to.

One key, many rooms

The reason this keeps happening — Klue is the third such app, after two others — is that one compromised app is not one victim. It is every customer that app was connected to. The attacker breaks one company and inherits a ring of keys to dozens of others. Each of those companies thought of its security as its own affair. It never was. They were all quietly joined together through a single app they each chose, separately, for their own reasons.

That is the whole shape of it. We picture security as a boundary — my wall, my account, my data. But the moment you connect anything, the boundary stops being a circle around you and becomes a web of keys you’ve handed out, held by parties who hand out keys of their own. A security firm was among the victims this week. Even the people whose job is watching the keys could not see all the ones they’d given away.

What the floor looks like from here

The cure isn’t to connect nothing — that’s not a world anyone lives in. The cure is to see the connections honestly: every integration is a key, every key is a door, and a door you opened a year ago and never closed is open now, in a building you don’t visit.

And the humbling part is how little of this anyone can fully see. You can list your own connected apps, but not their connected apps, not the service accounts behind them, not who else holds a copy of the key the same vendor issued. You are a node in chains that run far past your sight — trusting parties who trust parties you’ve never heard of. The person who has handed out the fewest keys isn’t the most careful. They’re just the one who can still see most of their own doors.

03 · Lab · your turn

The Keys You Hand Out

Connect apps to your data, then feel how each connected app is a live key that becomes the attacker's door when that vendor is breached.

04 · Hope · carry this

The same week a stolen key opened a string of doors, a dozen countries worked together to shut one down — taking apart a network that had hidden in plain sight for nearly a decade. The doors we open can be watched, and the ones we forgot can still be closed.