Klue says 2022 credential used in customer data breach
9 reported6 unconfirmed
Market research company Klue confirmed that a credential from 2022, part of a limited pilot, was used by hackers earlier this month to steal data from corporate customers, including password manager maker LastPass and several other cybersecurity companies. The Vancouver-based company detected the hack on June 12 and first disclosed it last Friday. Hackers used access to Klue’s systems, which store OAuth tokens, to download customer data and extort the companies. Klue spokesperson Katie Berg told TechCrunch the credential “was originally provided to a third-party in 2022, for a limited pilot.” Klue would not explain the pilot’s purpose, duration, or identify the third-party, nor say why the credential was not revoked after the pilot ended. A hacking group called Icarus took credit for the breach on its data leak site and has threatened to release stolen data if ransom is not paid. Klue has not said if it has had contact with the hackers or plans to pay demands.
What’s reported
Klue detected the hack on June 12 and disclosed it last Friday.
The credential used by hackers was originally provided to a third-party in 2022 for a limited pilot.
Stolen data included information from customers such as LastPass and several cybersecurity companies.
Hackers used OAuth tokens stored in Klue’s systems to access and download customer data.
Klue spokesperson Katie Berg confirmed the credential’s origin to TechCrunch.
Klue would not explain the pilot’s purpose, duration, or identify the third-party.
Klue would not say why the credential was not revoked after the pilot.
A hacking group called Icarus took credit and threatened to release data if ransom is not paid.
Klue has not said if it has contacted the hackers or plans to pay.
Open questions
What kind of credential was stolen (e.g., employee username/password or other).
Whether the credential was stolen from the third-party or from Klue’s own systems.
The purpose and duration of the 2022 pilot.
The identity of the third-party that received the credential.
Why the credential was not revoked after the pilot ended.
Whether Klue has had contact with the hackers or plans to pay ransom.
Key figures
Katie Berg, Klue spokesperson
Icarus, hacking group (took credit for breach)
Sources: TechCrunch
