Klue confirms hackers used 2022 credential to steal customer data

Market research company Klue has confirmed that a credential dating back to 2022, which was used for a limited pilot program, was exploited by hackers earlier this month to steal large amounts of data from its corporate customers, including several cybersecurity firms. The disclosure raises questions about why the credential was not decommissioned after the pilot ended.

Klue detected the breach on June 12 and first disclosed it last Friday. The attackers used the credential to access Klue's systems, which stored OAuth tokens that allowed them to retrieve customer data from other cloud services and databases. Victims include password manager maker LastPass and other cybersecurity companies.

Klue spokesperson Katie Berg told TechCrunch that the investigation so far indicates the credential “was originally provided to a third-party in 2022, for a limited pilot.” However, Klue declined to provide details about the pilot's purpose, duration, or the identity of the third-party. It also did not explain why the credential was not revoked after the pilot concluded.

Klue has not specified what type of credential was stolen, only describing it as a “legacy credential associated with an integration service” in a blog post. The company also would not say whether it was an employee username and password, or whether it believes the credential was stolen from the third-party rather than from its own systems. These details are crucial for understanding how the breach occurred and preventing future incidents.

Klue stated it is “conducting a comprehensive review of credential management, vendor-access controls, monitoring capabilities, and deployment security processes.” A hacking group calling itself Icarus has claimed responsibility for the breach on its data leak site and threatened to release the stolen data unless a ransom is paid. Klue has not said whether it has contacted the hackers or plans to pay.