Market research provider Klue, which was compromised earlier this month in a breach that allowed cybercriminals to steal reams of data belonging to several of its customers, said it is contacting the hackers. The company also said it believes the group is deleting the stolen data, according to TechCrunch.
“We are continuing to communicate with the threat actor we have been in contact with (‘Icarus’),” the company wrote in an update it shared privately Wednesday night with its customers, which TechCrunch has seen and verified from multiple sources. “Icarus has told us that they are taking steps to delete data taken from Klue customers. The Icarus website remains down and we have indications that Icarus is indeed taking steps to delete data from Klue customers.”
On Monday, Klue confirmed that hackers broke into its systems on June 12 and stole an unspecified amount of data from an unspecified number of its customers. Since then, several Klue customers have confirmed they were affected by the breach, including Discoid, Jamf, HackerOne, Hunter, insuranceLastPass, OneTrust, Recorded Future, ReliaQuest, Snyk, Sprout Socialand Taniu.
At the time, hacking group Icarus threatened Klue to release stolen customer data in an attempt to blackmail the company.
As of Thursday morning, when TechCrunch checked, Icarus’ website appears to be down, something Klue has privately told its customers.
Contact us
Got more info on the Klue hack? Or for the cyber crime group Icarus? We would love to hear from you. From a broken device and network, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
While this all seems to point to a solution, the hack has gotten messier over the past couple of days. According to Klue, Icarus told the company that there is a second gang of hackers trying to extort its customers directly.
This unnamed gang posted a list of allegedly affected companies on its own website, seen by TechCrunch, where they claimed to have stolen Klue customer data directly from Icarus. The hackers also claimed that Klue paid an “Icarus operator who is a teenager living somewhere in the UK or neighboring countries”. TechCrunch has not received any independent verification that Klue paid Icarus, nor have we been able to determine why Icarus’ website is down. A representative for Klue did not immediately respond to a request for comment.
According to the hackers, this person made a mistake that allowed them to connect to the server where the operator kept the customer data of the stolen Klue.
“Pay the ransom or we’ll leak everything if you don’t pay us,” the cybercriminals wrote in a message on the site, where they claimed a total of 195 Klue customers were affected.
In Thursday’s update to clients, Klue said: “Icarus has told us that the other party only has sample data for a subset of customers, not all of the data. Icarus has asked us to inform Klue customers not to make payments to this other party.”
Klue suggested that its customers in contact with this second group of hackers request a random sample of data, as proof that the hackers actually own the data they claim to have.
The company previously said hackers stole customer data using a 2022 third-party credential that was part of a limited pilot. The hackers then used their access to Klue’s systems to steal customers’ authentication keys — known as OAuth tokens — and log into their clouds and databases. Klue has not released more details about this stolen credential, such as who it was assigned to or why it hasn’t been revoked in the past four years.
Update: The article added clarifying language that a communication shared privately with customers was seen by TechCrunch and verified by multiple sources.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
