Market intelligence provider Klue says it remains in contact with the hacking group responsible for stealing data from several customers and has received assurances that the group is deleting the information.
The company identified unauthorised activity in its integration infrastructure on June 12. It later determined that attackers used a compromised credential linked to a limited pilot from 2022 to access customer authentication tokens.
Klue Communicates With Icarus
In a private update to customers, Klue said it was continuing to communicate with a threat actor calling itself Icarus. The group reportedly told the company that it had begun deleting information taken from Klue customers.
Klue also noted that the Icarus leak website was offline and said it had other indications that the deletion was taking place. However, neither Klue nor independent researchers have confirmed that every copy of the stolen information has been destroyed.
The company’s public incident update explains that the compromised credential allowed the attacker to enter part of its integration environment. The hackers then obtained OAuth tokens that Klue used to connect with customer platforms such as Salesforce and Gong.
Those tokens allowed the attackers to enter connected customer accounts without stealing individual employees’ passwords. They then copied information available through the affected integrations.
Customers Confirm Data Exposure
Companies that have confirmed being affected include Gong, HackerOne, Huntress, Jamf, Insurity, LastPass, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium.
HackerOne said an unauthorised party accessed and copied CRM information from its Salesforce environment through Klue’s OAuth integration. LastPass similarly reported that attackers obtained customer contact details, support information, and sales records, but not account passwords or master passwords.
Klue said it revoked affected OAuth tokens, disabled the compromised integrations, and began reviewing its credential management, monitoring, vendor access, and deployment security controls.
The company has not explained why the credential from the 2022 pilot remained active for approximately four years.
Second Group Claims to Hold Samples
The incident became more complicated after another unidentified hacking group began contacting some Klue customers directly. That group claims it obtained the stolen data from Icarus and says the breach affected 195 companies.
Klue told customers that Icarus claimed the second group possesses only limited samples belonging to some victims rather than the complete collection. Icarus also reportedly advised affected companies not to pay the second group.
Klue suggested that customers contacted by the new group request randomly selected samples as proof that the hackers hold the information they claim to possess.
The existence of several copies cannot currently be ruled out. Even when an original attacker claims to delete stolen data, information may have already been copied, sold, or transferred to other parties.
Featured image credits: Klue
For more stories like it, click the +Follow button at the top of this page to follow us.