Hacked Klue: Data Deletion and Ransom Threats from Cybercriminals
TL;DR
- Market intelligence platform Klue confirmed that the extortion group "Icarus," which stole data from its customers via a supply chain attack, has begun deleting the compromised information after Klue engaged with them.
- A second, unnamed hacking gang is now attempting to extort Klue's customers directly, creating a dual-threat scenario that complicates data recovery and ransom negotiations.
- The breach originated from a stolen credential dating back to a 2022 pilot program, impacting at least nine cybersecurity firms, including LastPass and Huntress, with approximately 3.4 GB of Salesforce CRM data exposed.
The Supply Chain Breach That Shook Cybersecurity
The cybersecurity world is grappling with a significant supply chain attack targeting Klue, a market intelligence platform used by numerous high-profile technology and security firms. The breach, detected on June 12, 2026, was not the result of a sophisticated new exploit but rather the weaponization of a dormant credential dating back to a limited pilot program in 2022.
Hackers utilized this old access key to infiltrate Klue's systems and exfiltrate reams of data belonging to the platform's corporate customers. The fallout has been widespread, with at least nine organizations confirmed as victims, including password manager maker LastPass, cybersecurity firm Huntress, and Salesforce. In Huntress's case, the compromised data included 3.4 GB of Salesforce CRM information, containing business contacts, pricing quotes, subscription specifics, and internal sales communications.
Icarus Claims Responsibility and Begins Deletion
The hacking group responsible for the attack, known as "Icarus," quickly took credit for the breach on its data leak site, listing Klue as a primary victim and threatening to release the stolen data unless a ransom was paid. The group established a presence on a dead-drop site, posting samples of the exfiltrated data to prove its legitimacy.
However, the narrative has shifted dramatically in the last 24 hours. Klue announced that it has engaged in direct communication with Icarus. According to a private update shared with customers on Thursday evening, Icarus has informed Klue that it is actively undertaking measures to delete the stolen data.
"We continue to communicate with the threat actor we have been in contact with ('Icarus')," Klue stated. "Icarus told us they are taking steps to delete the data taken from Klue customers."
Corroborating this claim, Icarus's website and data leak site have remained offline since the announcement, and Klue has confirmed it has indications that the deletion process is indeed underway. This marks a rare instance where a ransomware or extortion group has voluntarily begun erasing data after a direct negotiation, rather than waiting for a payment or a forced shutdown.
A Second Gang Emerges with Direct Extortion Attempts
Despite the positive development with Icarus, Klue and its customers face a new, escalating threat. The company revealed that a second, distinct gang of hackers has emerged, attempting to bypass Klue entirely and extort the victim companies directly.
This secondary group is reportedly targeting Klue's customers, including the cybersecurity firms that suffered data loss, with their own ransom demands. This "double-dip" extortion strategy complicates the situation significantly, as victims must now navigate threats from two separate entities. While Icarus appears to be complying with deletion requests, the second group's intentions remain unknown, raising fears that they may release the data regardless of any negotiations.
The Evolving Landscape of Cybercrime and Data Security
The Klue incident underscores the persistent dangers of legacy credentials and the evolving tactics of cybercriminals. The fact that a 2022 credential could trigger a massive breach in 2026 highlights the critical need for rigorous credential management and the immediate retirement of unused access keys.
Furthermore, the emergence of a second extortion group attempting direct attacks on customers illustrates the increasingly fragmented and competitive nature of the cybercrime ecosystem. As groups like Icarus demonstrate a willingness to negotiate and delete data, new, more aggressive actors are testing the waters with direct extortion, creating a volatile environment for data security.
For the affected companies, the immediate focus is on verifying the completeness of the data deletion by Icarus while preparing defenses against the second group's demands. The situation serves as a stark reminder that in the modern threat landscape, a breach can spawn multiple, simultaneous crises, requiring agile and comprehensive response strategies.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!