AI & TechBusinessCybersecurityNewswireTechnology

Hackers threaten Klue after criminals delete stolen customer data

▼ Summary

– Klue confirmed it was hacked on June 12, with customer data stolen by the group Icarus, and is communicating with them about deleting the stolen data.
– Several Klue customers, including Gong, Jamf, and LastPass, have confirmed they were affected by the breach.
– A second hacking gang claims to have obtained Klue customer data from Icarus and is attempting to extort the affected companies directly.
– Icarus told Klue that the second gang only has samples of data for a subset of customers, and Klue advised customers not to pay the second group.
– The hackers initially accessed Klue’s systems using a 2022 third-party credential from a limited pilot, then stole OAuth tokens to access customer clouds and databases.

Market research firm Klue, hit by a cyberattack earlier this month that let criminals swipe extensive customer data, now says it is in active dialogue with the hackers and believes the stolen information is being erased. The company shared this update privately with clients on Thursday night, a copy of which TechCrunch reviewed.

“We continue to communicate with the threat actor we have been in contact with (‘Icarus’),” Klue stated in the customer notice. “Icarus told us they are taking steps to delete the data taken from Klue customers. The Icarus site remains down and we have indications that Icarus is indeed taking steps to delete data taken from Klue customers.”

The breach, which Klue confirmed on Monday, occurred on June 12. The company acknowledged that an unspecified volume of data from an undisclosed number of clients was compromised. Since then, a growing list of affected customers has emerged, including Gong, Jamf, HackerOne, Huntress, Insurity, LastPass, OneTrust, Recorded Future, ReliaQuest, Snyk, Sprout Social, and Tanium.

Initially, the hacking group Icarus threatened to publicly release the stolen data as leverage in an extortion attempt against Klue. However, as of Thursday morning, the Icarus website appears offline, a development Klue also noted in its private update to customers.

Despite these signs of a potential resolution, the situation has grown more complicated. Klue reports that Icarus has alerted them to a second hacker group now attempting to extort customers directly. This unnamed group posted a list of allegedly impacted companies on its own site, which TechCrunch reviewed, claiming to have obtained Klue’s customer data from Icarus. The group further alleged that Klue paid an “Icarus operator who is a teenager living somewhere in the UK or adjacent countries.” TechCrunch has not independently verified any payment by Klue to Icarus, nor could it confirm why the Icarus site went down. A Klue spokesperson did not respond to a request for comment.

According to this second group, the teenager made a mistake that allowed them to connect to the server holding the stolen data. “Pay the ransom or we will leak everything if you no pay us,” the cybercriminals wrote on their site, claiming that 195 Klue customers are affected in total.

In its Thursday update, Klue advised customers: “Icarus told us that the other party has only samples of data for a subset of customers, not all of the data. Icarus has asked us to inform Klue customers to not make payment to this other party.” The company also suggested that customers contacted by this second group request a random sample of data as proof the hackers actually possess the claimed information.

Earlier, Klue revealed that the hackers gained entry using a third-party credential from 2022 tied to a limited pilot program. From there, they stole customers’ OAuth tokens to access their clouds and databases. Klue has not disclosed further details about the credential, such as who it belonged to or why it remained active for four years.

(Source: TechCrunch)

Topics

klue data breach 95% icarus hacker group 92% hacker communication 88% second hacker gang 87% customer extortion 86% data deletion claims 85% affected companies list 84% stolen credentials 83% oauth token theft 82% ransom payment allegation 80%