Klue Breach Traced to 2022 Legacy Credential Left Active

A single, forgotten digital key from 2022 just compromised the security of some of the world's most sensitive companies. Klue, the Vancouver-based market intelligence firm, confirmed this week that hackers used a legacy credential from a long-concluded pilot program to infiltrate its systems earlier this month.

The breach is a masterclass in the dangers of digital sprawl. Hackers didn't need to break down the front door; they simply walked through a side entrance that had been left unlocked for two years. The fallout is significant. Among the victims are high-profile cybersecurity firms and password manager provider LastPass, all of whom had their data exposed when the attackers accessed OAuth tokens stored within Klue’s environment.

The Cost of 'Legacy' Access

Klue’s admission raises an uncomfortable question: Why was a credential from a 2022 pilot still active in 2024? The company has remained tight-lipped on the specifics. Spokesperson Katie Berg confirmed the credential was provided to a third party for a "limited pilot" but declined to identify that partner or explain why the access wasn't revoked when the project ended.

This isn't just a technical oversight. It is a failure of lifecycle management. When companies run pilot programs, they often grant elevated access to third-party vendors. If those permissions aren't audited and purged, they become "zombie" credentials. They sit dormant, waiting for a bad actor to find them. In this case, the Icarus hacking group found the key and used it to harvest OAuth tokens, which act as master keys to cloud databases and external services.

Why Cybersecurity Firms Were Targeted

For the attackers, Klue was a high-value target. By compromising a platform that aggregates competitive intelligence, the hackers gained access to the internal data of Klue’s clients. For a company like LastPass, which is already a frequent target for threat actors, the exposure of data through a third-party vendor is a nightmare scenario.

It highlights the fragility of the modern software supply chain. Even if a company like LastPass maintains rigorous internal security, their data is only as safe as the vendors they trust. The Icarus group is now leveraging this access to extort the affected companies, threatening to leak the stolen data unless a ransom is paid. Klue has not disclosed whether it has engaged with the attackers or if it intends to pay.

What This Means for Users

If you are a customer of a firm that uses Klue, the immediate concern is the exposure of your data stored in third-party clouds. The breach underscores the necessity of "least privilege" access. If a vendor doesn't need access to your cloud databases, don't give it to them. If they do, rotate those tokens regularly.

Klue claims it is now conducting a "comprehensive review" of its credential management and vendor-access controls. That is the bare minimum. The real test will be whether they can prove to their clients that these "legacy" vulnerabilities have been completely eradicated from their infrastructure.

Key Takeaways

• The Root Cause: A credential from a 2022 pilot program was left active, providing a direct path for attackers to enter Klue’s systems.
• The Impact: Hackers stole OAuth tokens, allowing them to access and download sensitive customer data from cloud services and databases.
• The Extortion: The Icarus hacking group is currently holding the stolen data for ransom, targeting high-profile cybersecurity firms.

Klue’s internal investigation is ongoing. The company has not provided a timeline for when it will finish its security audit or when it will notify all affected parties of the full scope of the data loss. For the impacted firms, the next 30 days will be spent performing forensic analysis to determine exactly what was taken and whether those stolen tokens have been successfully invalidated across their entire cloud footprint.