Threat actor Icarus exploited a dormant legacy service account credential in Klue’s integration infrastructure to obtain OAuth tokens, then used those tokens to bulk-query Salesforce CRM environments via the REST API and exfiltrate business contacts, pricing data, and sales messaging. At least one confirmed victim (Huntress) received an extortion demand. The root cause is not a Salesforce vulnerability but a systemic failure in non-human identity governance: unmanaged legacy credentials with overly broad OAuth scopes and no lifecycle controls.