Klue Breach: Stolen Data at Risk from Rival Extortion Gangs

Market intelligence firm Klue is managing a complex security crisis after a breach allowed hackers to steal customer data. A second criminal group has now emerged, claiming to have intercepted the stolen files and is attempting to extort Klue's customers directly.

The situation at Klue has spiraled. What began as a targeted breach by a group calling itself Icarus has morphed into a chaotic multi-party extortion standoff.

Klue, a market intelligence firm, confirmed that hackers infiltrated its systems on June 12. The attackers used a stale 2022 third-party credential to harvest OAuth tokens, granting them access to customer cloud environments and databases. Now, the company is playing a high-stakes game of digital diplomacy to prevent a massive data leak.

The Icarus Negotiation

Klue is currently in direct communication with the Icarus group. According to private updates shared with customers, the firm believes Icarus is actively deleting the stolen data. The group’s primary website has gone offline, a move Klue interprets as a sign of good faith.

But the resolution is not that simple. Icarus has warned Klue that a second, unnamed gang of hackers has entered the fray. This new group claims to have intercepted the stolen data directly from Icarus servers. They are now attempting to extort Klue’s customers individually.

A Messy Extortion Chain

This second group is aggressive. They have published a list of allegedly affected companies on their own site, claiming to hold data on 195 different organizations. Their demand is blunt: pay the ransom or face a public leak.

Icarus, perhaps fearing the loss of their own leverage, has urged Klue to tell customers not to pay this second group. They claim the rivals only possess a small, fragmented sample of the total data. Klue is now advising its affected clients to demand a verifiable data sample from the new extortionists before considering any response.

The Security Failure

Questions remain about how this happened. Klue admits the breach originated from a 2022 third-party credential used in a limited pilot program. The company has yet to explain why that access remained active for years.

For the affected companies—a list that includes major names like Gong, Jamf, and Snyk—the uncertainty is the worst part. They are caught between two criminal factions, each claiming ownership of their sensitive information.

Key Takeaways

Credential Hygiene: The breach was enabled by a 2022 third-party credential that was never revoked, highlighting a critical failure in access management.
Extortion Escalation: A second, opportunistic hacking group is now attempting to extort Klue’s customers using data they claim to have intercepted from the original attackers.
Verification is Vital: Klue is advising customers to demand proof of data possession before engaging with any extortion demands from the secondary group.

What happens next depends on the veracity of the claims made by both groups. If the second gang truly possesses the full dataset, the situation for Klue’s customers will deteriorate rapidly. If they are bluffing, the pressure to pay may dissipate. For now, the affected companies are left waiting for a resolution that is entirely out of their control.

Klue Breach Escalates as Rival Hackers Intercept Stolen Data

The Icarus Negotiation

A Messy Extortion Chain

The Security Failure

Key Takeaways

Related Articles

Trump Administration Clears Anthropic’s Mythos 5 for Critical Infrastructure

Russian Hackers Linked to $2.5 Billion Jaguar Land Rover Breach

The White House Is Forcing OpenAI to Slow-Walk Its Next AI Model

Comments