Threat actor group Icarus compromised OAuth tokens held by Klue, a third-party SaaS integration, to gain persistent, credential-less access to downstream customer Salesforce environments, resulting in confirmed CRM data exfiltration at six named organizations. This is not a Salesforce product vulnerability — the attack exploited a legacy credential in a third-party vendor’s environment — but the impact is fully realized inside Salesforce orgs and requires action from any organization that connected Salesforce through Klue.