Market research firm Klue confirmed that a credential dating back to 2022, which was part of a limited pilot, was used by hackers earlier this month to steal reams of data from its corporate clients, including several cybersecurity firms.
The new detail suggests that Klue may have had years to decommission the credentials used for the pilot, raising questions about the company’s security posture and actions it could have taken to prevent breaches of its customers’ data.
The hack at Vancouver-based Klue, which it spotted on June 12 and was first disclosed last Friday, allowed hackers to steal data from a number of its customers, including password management maker LastPass and several other cybersecurity companies. The hackers used their access to Klue’s systems, which store the keys – known as OAuth tokens – to access their customer data stored in other clouds and databases, to download that data and extort the companies.
Klue spokeswoman Katie Berg told TechCrunch that the company’s research so far shows that the credentials used by the hackers to steal customer data “were initially provided to a third party in 2022, for a limited pilot.”
When asked by TechCrunch, Klue did not explain the purpose of the pilot, how long it ran, or identify the third party the company gave the credentials to. Klue also did not share why the credential was not revoked after the pilot’s finding.
Klue did not respond to follow-up emails about the incident prior to publication.
Questions remain about the incident as the company says its investigation continues.
Klue didn’t say what kind of credentials were stolen, just stating in a blog post that it was a “legacy credential associated with an integration service”. Klue also won’t say whether the credentials were an employee’s username and password, for example, or whether the company believes the credentials were stolen by a third party rather than its own systems.
These details can be critical to understanding how the breach took place — and how to prevent a repeat incident.
Klue’s statement to TechCrunch added that the company is “conducting a comprehensive review of its credential management, vendor access controls, monitoring capabilities and development security processes,” without offering further details.
A hacking group called Icarus has taken credit for the breach on its data leak website and has publicly threatened to release the stolen data if its ransom is not paid.
Klue has not said whether it has been in contact with the hackers or whether it plans to pay their demands.
Do you know more about the Klue cyber attack? Are you a company affected by the breach? We would love to hear from you. To contact Zack Whittaker securely, contact via Signal at username zackwhittaker.1337.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
