Klue OAuth Breach Lets 'Icarus' Threat Actor Raid Customer Salesforce CRM Data at 1,000 Queries per 15 Minutes

Market intelligence platform Klue suffered an OAuth token theft in which 'Icarus'—a threat actor active since April 2026—exploited a dormant prototype integration credential to extract OAuth tokens and query connected Salesforce CRM environments, sending nearly 1,000 API calls per 15 minutes. Huntress and ReliaQuest both confirmed the breach; stolen data included business contacts, sales communications, price quotes, and competitive intelligence reports, with no passwords or payment data compromised. Salesforce has disabled the Klue Battlecards integration pending investigation, and Icarus is conducting extortion via Session Messenger under the alias 'mr bean.'