Klue reports hackers deleting stolen data, second group makes threats
9 reported4 unconfirmed
Market research provider Klue, hacked earlier this month, told customers it is communicating with the cybercriminal group Icarus and believes the group is deleting stolen data. Klue stated in a private update Wednesday night that Icarus said it is taking steps to delete the data taken from Klue customers, and the Icarus website remains down. However, Klue also reported that a second, unnamed hacking gang is now trying to extort its customers directly, posting a list of allegedly affected companies and claiming to have stolen the data from Icarus. This second group alleged that Klue paid an Icarus operator described as a teenager living in the UK or adjacent countries, though TechCrunch obtained no independent verification of that claim. The second group threatened to leak data unless paid, claiming 195 affected Klue customers in total. Klue advised customers not to pay the second group and suggested asking for a random data sample as proof of possession. The breach occurred on June 12, with hackers using a 2022 third-party credential from a limited pilot to steal customer authentication keys and access their clouds and databases.
What’s reported
Klue was hacked on June 12, 2026, with an unspecified amount of customer data stolen.
Klue privately told customers it is communicating with the hacker group Icarus, which said it is deleting stolen data.
The Icarus website was down as of Thursday morning, June 25, 2026.
A second, unnamed hacking gang posted a list of allegedly affected companies and claimed to have stolen Klue customer data from Icarus.
The second gang alleged Klue paid an Icarus operator described as a teenager in the UK or adjacent countries; TechCrunch found no independent verification.
The second gang threatened to leak data unless paid, claiming 195 affected Klue customers total.
Klue advised customers not to pay the second group and to ask for a random data sample as proof.
Hackers used a 2022 third-party credential from a limited pilot to steal OAuth tokens and access customer clouds and databases.
Confirmed affected customers include Gong, Jamf, HackerOne, Huntress, Insurity, LastPass, OneTrust, Recorded Future, ReliaQuest, Snyk, Sprout Social, and Tanium.
Open questions
Whether Klue actually paid Icarus, as alleged by the second hacking gang.
Why the Icarus website is down.
How many customers were affected in total and the full scope of stolen data.
Who the 2022 third-party credential was assigned to and why it was not revoked.
Key figures
Klue (company)
Icarus (hacker group)
Unnamed second hacking gang
Gong, Jamf, HackerOne, Huntress, Insurity, LastPass, OneTrust, Recorded Future, ReliaQuest, Snyk, Sprout Social, Tanium (affected customers)
Sources: TechCrunch
