Klue says hackers stole credentials as of 2022, leading to a customer data breach

Market research firm Klue confirmed that credentials dating back to 2022, which were part of a limited beta program, were used by hackers earlier this month to steal troves of data from its corporate clients, including several cybersecurity companies.

New details suggest that Klue may have had years to turn off credentials that were used for the pilot, raising questions about the company’s security posture and what measures it could have taken to prevent breaches of its customers’ data.

The hack at Vancouver-based Klue, which it discovered on June 12 and was first revealed last Friday, allowed hackers to steal data from a number of its customers, including LastPass Password Maker and And many other cybersecurity companies. The hackers used their access to Klue’s systems, which store keys — known as OAuth tokens — to access their customers’ data stored in clouds and other databases, to download that data, and to extort companies.

Katie Berg, a Klue spokeswoman, told TechCrunch that the company’s investigation so far indicates that the credentials the hackers used to steal customer data “were originally provided to a third party in 2022, for a limited pilot program.”

When asked by TechCrunch, Klue did not explain the purpose of the beta program, how long it will run, or identify the third party to which the company gave the credentials. Klue also did not share why the credentials were not revoked after the pilot program ended.

Klue did not respond to follow-up emails about the incident prior to publication.

There are still questions about the incident, as the company says its investigations are continuing.

Klue didn’t say what type of credentials were stolen, just stated In a blog post They were “legacy credentials associated with the integration service”. Klue also did not clarify whether the credentials were an employee’s username and password, for example, or if the company believes the credentials were stolen from the third party and not from its own systems.

These details may be crucial to understanding how the hack was carried out and how to prevent the incident from recurring.

Klue’s statement to TechCrunch added that the company is “conducting a comprehensive review of credential management, vendor access controls, monitoring capabilities, and deployment security processes,” without providing further details.

A hacking group called Icarus has claimed responsibility for the hack on its data leak site, publicly threatening to release the stolen data if its ransom is not paid.

Klue did not say whether she has made contact with the hackers, or if she plans to pay their demands.

Do you know more about the Klue cyber attack? Are you a company affected by the breach? We would love to hear from you. To connect with Zack Whittaker securely, connect via Signal at username zackwhittaker.1337.