Klue hack exposes data from 9+ cybersecurity firms

Key Takeaways

• Hackers accessed Klue's systems on June 12 via a compromised legacy credential, stealing data from multiple enterprise customers
• At least nine cybersecurity and tech firms confirmed data theft, including HackerOne, Recorded Future, Snyk, and Tanium
• Ransomware group Icarus claims responsibility and threatens to publish stolen data Monday unless Klue pays

Vancouver-based market intelligence provider Klue suffered a cyberattack that exposed customer data from at least nine companies, including several prominent names in cybersecurity. The breach, which occurred on June 12, has turned into an extortion case: a cybercrime group called Icarus now threatens to publish the stolen data Monday if Klue refuses to pay.

The confirmed victims include Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium. For an industry built on protecting others, seeing security vendors appear on a breach notification list carries particular sting.

How did hackers get into Klue?

Klue disclosed Friday that attackers used a "compromised legacy credential" tied to an integration tool. This tool lets customers connect their cloud data, including Salesforce databases, to Klue's platform for competitive intelligence analysis. Once inside, the hackers pulled data directly from customer clouds.

The company has not explained how attackers obtained the credential or why the intrusion went undetected for nearly a week. Similar incidents at Snowflake and TanStack have been traced to employees installing password-stealing malware on work devices. Whether that applies here remains unclear.

Klue has since hired CrowdStrike for incident response and disconnected its integrations to stop further access. CEO Jason Smith did not respond to TechCrunch's questions about whether the company received a direct ransom demand.

What data was stolen?

According to affected companies' statements, the breach exposed business contact information: names, email addresses, phone numbers, job titles, and some account details. Because Klue integrates with Salesforce, where companies often store customer records, the blast radius could be significant.

Klue has not disclosed how many of its "hundreds" of customers were affected. The company published a blog post about the incident but added "noindex" code, telling search engines not to list the page. That tactic limits public visibility while allowing Klue to claim transparency.

The supply chain attack pattern

This breach fits a growing playbook. Hackers increasingly target middleware providers, betting that one compromised vendor unlocks data from dozens or hundreds of organizations. Over the past year, similar attacks hit Gainsight and Salesloft.

The logic is simple. Instead of breaching ten companies separately, breach one integration platform connected to all ten. Each customer trusts the vendor with cloud credentials. When those credentials leak, every customer's data becomes accessible.

Huntress, another security firm affected by the Klue breach, published its own incident report. The company noted that hackers sent ransom communications using an Australian company's email address, suggesting those servers were compromised or hijacked for the campaign.

Staff cuts and security questions

Last June, Klue announced it would lay off roughly half its staff, around 100 people, to redirect resources toward AI investments. Whether those cuts affected security staffing is unknown. Klue's executive leadership page does not list anyone with an explicit cybersecurity title.

That gap raises questions. A company handling cloud integrations for major enterprises, including security vendors, typically benefits from a dedicated CISO. The absence of one, at least publicly, does not prove negligence. But it invites scrutiny after a breach of this scale.

What happens Monday?

Icarus set a Monday deadline for publishing stolen data. If Klue refuses to pay, the group will likely dump files on its leak site. Affected companies would then face secondary risks: phishing campaigns using leaked contact data, competitive intelligence exposure, and potential regulatory scrutiny.

For the cybersecurity firms on the victim list, the situation is awkward. Recorded Future, Snyk, and HackerOne sell products meant to prevent exactly this kind of breach. Now they must explain to their own customers why a third-party vendor became a single point of failure.

Frequently Asked Questions

Which companies were affected by the Klue data breach?

Confirmed victims include Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, Tanium, and Huntress. Klue has not disclosed the full number of affected customers.

What data was stolen in the Klue hack?

Affected companies report that business contact information was exposed, including names, email addresses, phone numbers, job titles, and some account details pulled from connected cloud systems like Salesforce.

Who is behind the Klue cyberattack?

A cybercrime group called Icarus claimed responsibility. The group threatened to publish stolen data on Monday unless Klue pays a ransom.

How did hackers breach Klue's systems?

Klue said attackers used a compromised legacy credential linked to an integration tool that connects customer cloud data to the Klue platform. The company has not explained how the credential was obtained.

What is Klue doing in response to the breach?

Klue hired CrowdStrike for incident response and disconnected all integrations to prevent further unauthorized access to customer data.

Source: TechCrunch / Zack Whittaker