Klue breach traced to 4-year-old credential from 2022 pilot

Key Takeaways

• Klue confirmed hackers used a credential from a 2022 pilot program to breach customer data in June 2026
• LastPass and several other cybersecurity companies had data stolen through Klue's compromised OAuth tokens
• A hacking group called Icarus claims responsibility and is threatening to release data unless a ransom is paid

A credential Klue handed to a third party in 2022 sat active for four years. On June 12, hackers used it to steal customer data from the Vancouver-based competitive intelligence company, including data belonging to LastPass and several other cybersecurity firms. Klue detected the intrusion the same day and disclosed it last Friday, but the timeline raises an uncomfortable question: why did a pilot-program credential survive long enough to become an attack vector?

Klue spokesperson Katie Berg told TechCrunch that the stolen credential "was originally provided to a third-party in 2022, for a limited pilot." The company declined to explain what the pilot was for, how long it ran, or who received the credential. Most critically, Klue offered no explanation for why it never revoked access after the pilot ended.

How did the Klue breach happen?

The attackers exploited Klue's integration layer. Klue stores OAuth tokens, the keys that let its platform pull competitive intelligence data from customers' cloud services and databases. Once inside, the hackers used those tokens to download data from Klue's customers and then attempted extortion.

Klue described the compromised credential only as a "legacy credential associated with an integration service." That vagueness matters. Whether it was an employee username and password, an API key, or something else determines how the breach unfolded and who bears responsibility. Klue also won't say whether the credential was stolen from its own systems or from the unnamed third party.

A hacking group called Icarus posted on its leak site claiming credit for the attack. The group is threatening to publish stolen data unless Klue pays a ransom. Klue has not disclosed whether it has communicated with Icarus or intends to pay.

Which companies were affected?

LastPass confirmed it was among the victims. The password manager company, still recovering reputationally from its own major breaches in 2022, now finds itself compromised through a vendor whose security practices appear to have failed basic credential hygiene.

TechCrunch reported that "several other cybersecurity companies" also had data stolen. Klue's customer list includes enterprise sales teams across industries, but the irony of security vendors being breached through a competitive intelligence tool is hard to miss.

What is Klue doing now?

Klue says it is "conducting a comprehensive review of credential management, vendor-access controls, monitoring capabilities, and deployment security processes." That review comes after the fact. The company has not shared specifics about what changes it will implement or what its investigation has uncovered beyond the 2022 pilot detail.

The investigation is ongoing. Klue did not respond to follow-up questions before TechCrunch published its report.

Why dormant credentials are a persistent problem

This breach follows a pattern security teams know well. Credentials created for pilots, proofs of concept, or temporary integrations get forgotten. Nobody revokes them because nobody remembers they exist. Then they become the entry point for an attack years later.

Automated credential rotation and expiration policies exist to prevent exactly this scenario. Major identity providers like Okta, Azure AD, and Google Workspace offer tooling to enforce credential lifecycles. The fact that Klue's 2022 credential remained valid suggests either a gap in their security tooling or a process failure in decommissioning pilot infrastructure.

For Klue's customers, the breach is a reminder that third-party risk extends beyond the obvious. Competitive intelligence platforms, by design, request broad access to sensitive systems. That access becomes a liability the moment the vendor's security falls short.

What should affected companies do?

Any organization using Klue should audit what OAuth tokens they granted and revoke access immediately. Then rotate credentials for any system Klue could reach. Assume the attackers have copies of everything Klue's tokens could access.

Beyond the immediate response, this is a moment to review third-party access broadly. How many vendors have dormant credentials to your systems? When did you last audit them? If you don't know the answers, you have the same vulnerability Klue's customers just learned about the hard way.

Frequently Asked Questions

What is the Klue data breach?

Hackers exploited a credential Klue created in 2022 for a pilot program. They used it to access Klue's systems in June 2026 and stole customer data, including data from LastPass and other cybersecurity companies.

Who was affected by the Klue breach?

LastPass confirmed it was affected. TechCrunch reported that several other cybersecurity companies also had data stolen through the breach.

What is Icarus, the hacking group behind the Klue attack?

Icarus is a hacking group that claimed credit for the Klue breach on its data leak site. The group is threatening to release stolen data unless Klue pays a ransom.

How can companies protect themselves from similar breaches?

Implement automatic credential expiration for all pilot and temporary access. Conduct quarterly reviews of third-party access. Audit OAuth tokens granted to vendors and revoke any that are no longer needed.

Has Klue said whether it will pay the ransom?

No. Klue has not disclosed whether it has contacted the hackers or whether it plans to pay their demands.

Source: TechCrunch / Zack Whittaker