Klue hack triggers data breaches at multiple cybersecurity firms
▼ Summary
– A hacking group named Icarus claimed responsibility for a breach at market intelligence provider Klue, stealing data from its corporate customers, including major cybersecurity firms.
– Klue stated that hackers gained access on June 12 using a compromised legacy credential from an integration tool, stealing data from customer clouds like Salesforce.
– Affected companies include Gong, Jamf, HackerOne, and others, with stolen data consisting of business contact information such as names, email addresses, and phone numbers.
– The breach is part of a trend where hackers target middleware providers like Klue to access data from multiple organizations through a single point of failure.
– Klue has hired incident response firm CrowdStrike and disconnected integrations, but it is unclear how the credentials were obtained or why the theft was not detected sooner.
A cybercriminal group is claiming responsibility for a breach at market intelligence platform Klue, an incident that has led to data theft from several of its high-profile corporate clients, many of which are major players in the cybersecurity industry.
On Friday, Vancouver-based Klue , a company that enables businesses to connect their internal data for market research , disclosed that hackers had exfiltrated data from an unspecified number of its customers during an attack that occurred roughly a week earlier. Notably, the company’s blog post about the incident includes a “noindex” tag, preventing the page from appearing in search results.
The cybercrime group Icarus has taken credit, posting on its leak site that it will release the stolen information on Monday unless Klue pays a ransom. The company has not revealed how many of its hundreds of clients are impacted, but several have already confirmed they were affected. Those include Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium.
This attack is part of a growing trend where hackers target middleware providers , companies that manage access to other firms’ cloud databases. By compromising a single entity like Klue, attackers hope to steal data from numerous organizations at once. Similar breaches over the past year have hit platforms such as Gainsight and Salesloft, yielding access to hundreds of companies’ sensitive information.
According to Klue, the attackers gained entry to its systems on June 12 using a compromised legacy credential , such as a password or token , tied to an integration tool that lets customers link their cloud data, like Salesforce databases, to Klue. These databases often contain personal information like names, email addresses, phone numbers, job titles, and some account details, making them a lucrative target.
It remains unclear how the hackers obtained the credential or why Klue failed to detect the intrusion sooner. Similar recent mass-hacks , including those at Snowflake and TanStack , have been linked to employees inadvertently installing password-stealing malware on work devices.
Klue has engaged incident response firm CrowdStrike and has disconnected its integrations to prevent further unauthorized access. However, CEO Jason Smith did not respond to requests for comment on Monday, including whether the company has received any ransom demand.
Security firm Huntress, itself a victim of the breach, reported in its analysis that the hackers contacted it with a ransom note sent from an email address belonging to an Australian company, whose servers were likely hijacked for the campaign.
Last June, Klue announced plans to lay off roughly half its workforce , about 100 people , to focus on AI investments. It is not known if those staff reductions contributed to security gaps. The company’s executive leadership page currently does not list a person responsible for cybersecurity.
(Source: TechCrunch)
