Hacked Klue says criminals are deleting stolen customer data, but now other hackers are making threats

Market research provider Klue, which was hacked earlier this month in a breach that allowed cybercriminals to steal reams of data belonging to several of its customers, said that it is communicating with the hackers. The company also said it believes the group is deleting the stolen data, TechCrunch has learned. 

“We continue to communicate with the threat actor we have been in contact with (‘Icarus’),” the company wrote in an update shared privately on Thursday night with its customers, which TechCrunch has seen. “Icarus told us they are taking steps to delete the data taken from Klue customers. The Icarus site remains down and we have indications that Icarus is indeed taking steps to delete data taken from Klue customers.”

On Monday, Klue confirmed that hackers broke into its systems on June 12 and stole an unspecified amount of data from an unspecified number of its customers. Since then, several Klue customers have confirmed they were affected by the breach, including Gong, Jamf, HackerOne, Huntress, Insurity, LastPass, OneTrust, Recorded Future, ReliaQuest, Snyk, Sprout Social, and Tanium. 

At the time, the hacking group Icarus was threatening Klue to release the stolen customers’ data in an attempt to extort the company. 

As of Thursday morning, when TechCrunch checked, the Icarus website appears to be down, which is also what Klue privately told its customers. 

While all this seems to point to a resolution, the hack got messier in the last couple of days. According to Klue, Icarus told the company that there is a second gang of hackers that is trying to extort its customers directly. 

This unnamed gang posted a list of allegedly affected companies on its own website, which TechCrunch has seen, where they claimed to have stolen Klue’s customer data directly from Icarus. The hackers also alleged that Klue paid an “Icarus operator who is a teenager living somewhere in the UK or adjacent countries.” TechCrunch has obtained no independent verification that Klue paid Icarus, nor could we determine why the Icarus website is down. A Klue spokesperson did not immediately respond to a request for comment. 

According to the hackers, this person made a mistake that allowed them to connect to the server where the operator was keeping the stolen Klue’s customer data.

“Pay the ransom or we will leak everything if you no pay us,” the cybercriminals wrote in a message on the site, where they claimed there are 195 affected Klue customers in total. 

In its Thursday update to customers, Klue said: “Icarus told us that the other party has only samples of data for a subset of customers, not all of the data. Icarus has asked us to inform Klue customers to not make payment to this other party.” 

Klue suggested its customers who are in touch with this second group of hackers to ask for a random sample of data, as proof that the hackers really possess the data they claim to have. 

The company previously said that the hackers stole customers’ data by using a 2022 third-party credential that was part of a limited pilot. The hackers then used their access to Klue’s systems to steal customers’ authentication keys — known as OAuth tokens — and log into their clouds and databases. Klue has not provided more details about this stolen credential, such as who it was assigned to, or why it was not revoked in the last four years.