Threat actor group Icarus compromised Klue’s SaaS infrastructure and weaponized its pre-authorized Salesforce OAuth tokens to access and exfiltrate data from downstream Salesforce customer environments. Salesforce-native security controls did not flag the intrusion because the OAuth session appeared legitimate. Any Salesforce organization with an active Klue integration should treat its data as potentially exposed until OAuth tokens are revoked and event monitoring logs are reviewed.