Hacked Klue says criminals are deleting stolen customer data, but now other hackers are making threats

Klue market research provider, Which was hacked earlier this month In a breach that allowed cybercriminals to steal large amounts of private data from many of its customers, it said it was communicating with the hackers. The company also said it believes the group is deleting stolen data, TechCrunch has learned.

“We are continuing to communicate with the threat actor we were in contact with (‘Icarus’),” the company wrote in an update privately shared Wednesday evening with its customers, which TechCrunch viewed and verified from multiple sources. “Icarus has told us they are taking steps to delete data taken from Klue customers. The Icarus website remains down and we have indications that Icarus is already taking steps to delete data taken from Klue customers.”

Klue confirmed on Monday that hackers broke into its systems on June 12 and stole an unspecified amount of data from an unspecified number of its customers. Since then, several Klue customers have confirmed that they were affected by the hack, including… Gong, Jamf, HackerOne, Huntress, Insurance, LastPass, OneTrust, Recorded future, ReliaQuest, Infiltration, Social sproutand Tanium.

At the time, hacking group Icarus was threatening Klue to release stolen customer data in an attempt to blackmail the company.

As of Thursday morning, when TechCrunch checked, the Icarus website appears to be down, which is also what Klue has privately told its customers.

While all of this seems to point to a solution, the breakout has become much messier in the past couple of days. According to Chloe, Icarus told the company that there was a second gang of hackers trying to blackmail its customers directly.

This unnamed gang posted a list of allegedly affected companies on its website, seen by TechCrunch, where it claimed to have stolen Klue customer data directly from Icarus. The hackers also claimed that Klue paid “an Icarus worker who is a teenager living somewhere in the UK or neighboring countries.” TechCrunch did not obtain any independent verification that Klue paid Icarus, nor were we able to determine why the Icarus website was down. A Klue spokesperson did not immediately respond to a request for comment.

According to the hackers, this person made a mistake that allowed them to connect to the server where the operator was holding stolen Klue customer data.

“Pay the ransom or we will leak everything if you don’t pay us,” the cybercriminals wrote in a message on the site, where they claimed there were 195 Klue customers affected in total.

In its update to customers on Thursday, Klue said: “Icarus told us that the third party only had samples of data for a subset of customers, not all of the data. Icarus has asked us to inform Klue customers not to pay this third party.”

Klue suggested that its customers who come into contact with this second group of hackers ask for a random sample of data, as proof that the hackers actually have the data they claim to have.

The company previously said hackers stole customer data using 2022 third-party credentials that were part of a limited pilot program. The hackers then used their access to Klue’s systems to steal customers’ authentication keys — known as OAuth tokens — and log into their cloud and databases. Klue did not provide further details about the stolen credentials, such as who they were assigned to, or why they had not been revoked in the past four years.

Update: The article added clarifying language that the communication shared privately with customers was viewed by TechCrunch and verified by multiple sources.