An extortion group calling itself Icarus has stolen customer relationship management data from enterprise companies by exploiting a third-party integration that connects the competitive intelligence platform Klue to Salesforce.

The attack began on June 11, when the threat actors gained access to Klue’s backend infrastructure using a dormant API credential originally created for an abandoned internal project. They used that foothold to push a code update that silently harvested OAuth tokens customers use to connect Klue to their Salesforce environments. Automated scripts then pulled bulk CRM records through legitimate API channels, avoiding the traffic patterns that typically trigger security alerts.

Salesforce disabled the Klue Battlecards app integration across all affected customer environments after detecting unusual activity. The cybersecurity firm Huntress was among the companies confirmed as affected. Huntress attributed the attack to Icarus based on matching Session Messenger identifiers found in extortion emails and on the group’s dark-web leak site.

The method used here reflects a trend in enterprise attacks. Adversaries increasingly target vendor integrations rather than the primary platform itself, where defenses tend to be stronger. OAuth token abuse through trusted third-party apps has become a reliable entry point for actors targeting large organizations.

The Icarus group has been active since late April 2026, operating a dark-web leak site and targeting companies through software supply chain vulnerabilities. Several enterprises have reported receiving extortion demands since June. Affected organizations are advised to audit active Salesforce integrations, rotate any OAuth credentials tied to Klue, and review API access logs starting from June 11.

Cybersecurity threats have escalated across enterprise software this year. Microsoft warned earlier about the CryptoBandits malware campaign targeting crypto wallets through USB drives. Google DiffusionGemma and other AI tools have also become targets for adversaries probing enterprise AI pipelines. The Apple and Google partnership on iOS 27’s Siri AI is prompting security researchers to examine new AI-integrated attack surfaces.

Klue has not issued a full public statement detailing the scope of data exposed. The company builds competitive intelligence tools used by enterprise sales and marketing teams, meaning the stolen CRM data may include prospect information, deal pipeline details, and customer contact records.

The full scale of the breach is still being assessed. Affected companies have been notified by Salesforce. Huntress published a detailed technical investigation on its blog, including indicators of compromise and guidance for organizations running the Klue integration.