Key Takeaways
- A second hacker group claims to have stolen Klue customer data from the original attackers, creating a chaotic double-extortion scenario
- At least 11 major tech companies confirmed affected, including LastPass, HackerOne, and Recorded Future
- The breach originated from a 2022 third-party credential that was never revoked
The Klue data breach just got messier. The market research provider told customers on Wednesday that the original hacking group, Icarus, claims to be deleting stolen data. But a second, unnamed gang has surfaced, claiming to possess the same data and demanding ransom from affected companies directly.
Klue, which provides competitive intelligence tools to enterprise clients, confirmed hackers broke into its systems on June 12. In a private update to customers obtained by TechCrunch, the company said Icarus is "taking steps to delete data taken from Klue customers" and that the Icarus website is now offline.
That would be encouraging news, except for the second group. These hackers claim they stole Klue's customer data directly from Icarus, allegedly by exploiting a mistake made by an Icarus operator. The second group posted a list of affected companies on their own site and threatened to leak everything if victims don't pay.
Which companies were hit in the Klue breach?
The list of confirmed victims reads like a who's who of security and enterprise software. Gong, Jamf, HackerOne, Huntress, Insurity, LastPass, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium have all acknowledged they were affected. The second hacker group claims 195 Klue customers were compromised in total.
The irony is hard to miss. HackerOne runs bug bounty programs. Recorded Future sells threat intelligence. LastPass stores passwords. These are companies whose entire value proposition depends on security. Now they're caught up in a breach at a third-party vendor they trusted with competitive intelligence data.
How did the attackers get in?
Klue says the breach traces back to a 2022 third-party credential from a "limited pilot." The company hasn't disclosed who the credential belonged to or why it remained active for four years. Once inside, the attackers stole OAuth tokens, the authentication keys that let applications access customer cloud accounts and databases.
OAuth tokens are powerful. They don't just grant read access. Depending on the permissions, attackers could have pulled customer data, modified configurations, or moved laterally through connected systems. Klue hasn't specified what permissions those tokens carried or how much data the attackers actually exfiltrated.
Did Klue pay the ransom?
That's unclear. The second hacker group alleges Klue paid "an Icarus operator who is a teenager living somewhere in the UK or adjacent countries." TechCrunch could not independently verify this claim. Klue has not responded to requests for comment.
If Klue did pay, it would explain why Icarus claims to be deleting data and why their site went dark. It would not explain why a second group now has copies. Paying ransomware operators rarely guarantees anything. Data can be copied before deletion, sold to other criminals, or used for follow-on attacks.
What should affected companies do now?
Klue offered specific advice in its customer update: if the second group contacts you demanding payment, ask for a random sample of data as proof they actually have what they claim. Icarus told Klue the second group only possesses "samples of data for a subset of customers, not all of the data."
That's a start, but it's not reassurance. Even partial samples could contain sensitive competitive intelligence, customer lists, pricing strategies, or internal communications. Companies that used Klue need to audit what data they shared with the platform and assume the worst.
Rotating OAuth tokens is the obvious first step. Any token that granted Klue access to internal systems should be revoked immediately. Beyond that, affected companies should review access logs for suspicious activity dating back to mid-June and notify their own customers if their data may have been exposed downstream.
Logicity's Take
This breach exposes a blind spot in enterprise security programs: third-party credential hygiene. A pilot credential from 2022 shouldn't exist in 2026. Organizations evaluating competitive intelligence platforms like Klue, Crayon, or Kompyte should demand clear policies on credential rotation, OAuth scope limitations, and audit logging. The pricing is similar across these tools, typically $15,000-50,000 annually for enterprise tiers, but security practices vary widely. Ask vendors how long pilot credentials live and who can revoke them.
Why the second extortion group complicates everything
Double extortion is common in ransomware. Criminals encrypt data, then threaten to leak it if the victim pays to decrypt but refuses to pay for silence. What's happening to Klue is different. A second group apparently stole from the first group, creating a chain of custody nightmare.
Even if Klue negotiated successfully with Icarus, and even if Icarus genuinely deleted everything, the data is now in other hands. The second group has no agreement with Klue and no incentive to honor one. They're running their own extortion campaign, contacting Klue customers directly.
Klue's advice to not pay the second group is sound. There's no guarantee payment would result in deletion, and paying one criminal just signals that you'll pay others. But "don't pay" isn't a complete strategy when your competitors might have access to your most sensitive market intelligence.
Frequently Asked Questions
What data did hackers steal in the Klue breach?
Klue has not disclosed the specific types of data stolen. However, as a competitive intelligence platform, Klue stores market research, competitor analysis, and business intelligence data uploaded by its customers. The attackers also stole OAuth tokens that could grant access to customer cloud systems.
How many companies were affected by the Klue data breach?
The second hacker group claims 195 Klue customers were affected. At least 11 companies have publicly confirmed they were victims, including LastPass, HackerOne, Recorded Future, Gong, and Tanium.
Who is the Icarus hacking group?
Icarus is the threat actor that initially breached Klue and attempted to extort the company. According to claims from a second hacker group, an Icarus operator may be a teenager based in the UK or nearby countries. TechCrunch could not independently verify this.
Should companies pay ransom to the second hacker group?
Klue advises customers not to pay. The original threat actor told Klue the second group only has partial data samples, not complete datasets. If contacted, Klue recommends asking for proof of possession before taking any action.
Cloud provider compliance is increasingly scrutinized, relevant for companies reassessing vendor risk
Need Help Implementing This?
If your organization uses Klue or other competitive intelligence platforms, now is the time to audit third-party access credentials and OAuth token permissions. Contact our team for guidance on vendor security assessments and incident response planning.
Source: TechCrunch / Lorenzo Franceschi-Bicchierai
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
