Klue says hackers stole credential from 2022 that led to customer data breaches

At a glance:

• Hackers used a 2022 OAuth token from a limited pilot to exfiltrate data from Klue’s corporate customers, including LastPass.
• The breach was detected on June 12, disclosed on June 14, and is linked to the hacking group Icarus, which is demanding ransom.
• Klue says it is reviewing credential management, vendor‑access controls and monitoring after the incident.

What happened

Klue, a market‑research platform based in Vancouver, discovered unauthorized activity on June 12. The company disclosed the incident publicly on Friday, June 14, after confirming that threat actors had accessed a legacy credential dating back to 2022. That credential, described as an OAuth token used for a “limited pilot” with an unnamed third‑party, allowed the attackers to pull data from several of Klue’s customers’ cloud and database environments.

The stolen data included information from high‑profile cybersecurity firms, most notably password‑manager maker LastPass. According to Klue spokesperson Katie Berg, the credential was originally provided to a third‑party in 2022 for a short‑term integration test. The company has not revealed the pilot’s purpose, its duration, or the identity of the third‑party, nor why the token was not revoked after the pilot concluded.

How the breach unfolded

Klue’s platform stores OAuth tokens that grant access to customers’ external services. By compromising a single, outdated token, the attackers gained a foothold that let them traverse into their clients’ environments. They used this access to download “reams of data” and subsequently threatened extortion, demanding payment to prevent public release. The hacking collective Icarus claimed responsibility on its data‑leak site and warned it would publish the stolen files if its ransom was not met.

The exact nature of the credential remains unclear. Klue’s blog post only labels it a “legacy credential associated with an integration service,” without confirming whether it was an employee username/password pair or a service‑to‑service token. This ambiguity makes it difficult to assess whether the breach originated from the third‑party’s systems or from Klue’s own infrastructure.

Implications for affected customers

Customers that relied on Klue for market‑research data now face potential exposure of proprietary information, internal communications, and possibly credentials stored in linked cloud services. LastPass, as a password‑manager vendor, may have had its own client data at risk, raising concerns about downstream compromise of end‑user accounts. The incident underscores the danger of lingering, unused credentials—especially those that grant wide‑scope access via OAuth.

Security analysts note that the breach could serve as a case study for the importance of credential rotation, least‑privilege token scopes, and automated de‑provisioning after pilot programs end. Companies that integrate with third‑party services should audit their token inventories regularly and enforce strict expiration policies.

Klue’s response and next steps

In a statement to TechCrunch, Klue said it is conducting a “comprehensive review of credential management, vendor‑access controls, monitoring capabilities, and deployment security processes.” The company has not disclosed whether it has engaged with the attackers or if it intends to meet the ransom demands. It also declined to comment on the specific technical details of the stolen credential or the timeline of the pilot.

Klue has not responded to follow‑up inquiries from journalists and has not indicated any remediation offered to affected customers beyond the internal review. The ongoing investigation suggests that further findings may be released in the coming weeks, potentially shedding light on how the token remained active for years.

What to watch next

Stakeholders should monitor Klue’s forthcoming security bulletin for any updates on the scope of the data exfiltrated and recommended remediation steps. Customers of Klue are advised to rotate any credentials that may have been shared with the platform and to audit access logs for anomalous activity. The broader security community will likely use this incident to push for stricter standards around OAuth token lifecycle management and third‑party integration hygiene.