Hackers Exploit Stolen Credentials from Klue, Compromising Customer Data
TL;DR
- Market intelligence firm Klue suffered a breach where hackers exploited a legacy credential originally created in 2022 for a pilot program that was never decommissioned.
- The attackers used this access to steal OAuth tokens from Klue's systems, which they then used to exfiltrate sensitive data from the Salesforce accounts of major cybersecurity customers like Huntress, LastPass, and Recorded Future.
- The hacking group "Icarus" has claimed responsibility for the attack, demanding a ransom and threatening to release the stolen data if payment is not received.
Hackers Exploit Stolen Credentials from Klue, Compromising Customer Data
The cybersecurity industry is once again grappling with the fallout of a significant data breach, this time centered on Vancouver-based market intelligence provider Klue. On June 12, Klue detected unauthorized access to its systems, a breach that was publicly disclosed last Friday. The root cause of this intrusion was not a sophisticated, state-of-the-art exploit, but rather a glaring security lapse: a "compromised legacy credential" dating back to 2022.
According to Klue spokesperson Katie Berg, the credential used by the hackers was originally granted to a third-party for a limited pilot program. While the pilot ended years ago, Klue failed to revoke or decommission the associated access credentials. This oversight left a digital backdoor open, allowing a threat actor to infiltrate the company's infrastructure with ease. The incident highlights a critical question for enterprise security: why do companies retain access tokens for abandoned projects, and what are the consequences when those forgotten keys are picked up by malicious actors?
The Chain of Compromise: From Klue to Salesforce
Once the hackers gained entry using the 2022 credential, they executed a multi-stage attack that extended far beyond Klue's own servers. The attackers quickly pivoted into Klue's internal infrastructure to harvest OAuth tokens. These tokens are the digital keys that allow Klue's customers to securely connect their cloud data—such as Salesforce databases—to Klue's platform.
By stealing these tokens, the attackers effectively hijacked the identities of Klue's corporate clients. They then used the stolen credentials to directly query and download data from the customers' CRM tools. This means the breach was not just a theft of data stored at Klue, but a direct exfiltration of sensitive business information from the customers' own environments.
The scope of the impact is significant, with at least eight companies confirming they were victims of this chain of compromise. The list of known victims includes prominent cybersecurity firms such as Huntress, Recorded Future, Snyk, Jamf, and Tanium, as well as analytics services like Sprout Social and Gong. For Huntress, the stolen data included business contacts, price quotes, and sales-related messaging stored in their Salesforce account. LastPass, the password manager maker, also reported that customer support case records and personal information were stolen, though their customers' password vaults remained secure.
The "Icarus" Group Claims Responsibility and Demands Ransom
The breach has been attributed to a hacking group calling itself "Icarus," which has taken credit for the attack on its dark web data leak site. The group has publicly threatened to release the stolen data if their ransom demands are not met. This extortion tactic adds a layer of urgency to the situation, as companies face the risk of their confidential business data, including client lists and pricing strategies, becoming public.
Icarus has historically provided samples of exfiltrated data on dead-drop sites like gofile.io, and the group appears to be following a similar pattern. The threat of data leakage forces affected companies to not only investigate the breach but also prepare for potential reputational damage and the regulatory implications of losing customer data.
Security Posture Under Scrutiny
The Klue breach has triggered a fierce debate regarding the company's security posture. Security experts are questioning why a credential created for a pilot program in 2022 was still active in 2026. The incident suggests that Klue may have had years to retire the credential but failed to do so, raising concerns about their internal processes for managing access rights and lifecycle management of digital identities.
In response to the attack, Klue has engaged incident response firm CrowdStrike to assist with the investigation. The company has also taken immediate steps to contain the breach by disconnecting its integrations and revoking the compromised credentials and tokens. While these actions are necessary to stop the immediate threat, the breach serves as a stark reminder for the entire tech industry: the cost of failing to revoke access after a project ends can be measured in stolen customer data, financial extortion, and a damaged reputation.
As the investigation continues, the industry is left to wonder how many other "legacy credentials" remain dormant but active in other systems, waiting for a hacker to find them. For Klue and its customers, the path forward involves not just recovering from this breach, but fundamentally rethinking how they manage the lifecycle of their digital access keys.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!