A hacking group has taken credit for a breach at market intelligence provider Klue that allowed hackers to steal reams of data from the company’s corporate customers, which include some of the biggest names in cybersecurity.
Vancouver-based Klue, which lets companies conduct market research by connecting their data to its systems, said on Friday that hackers had stolen data from an unspecified number of its customers during a cyberattack a week earlier. (The blog contains the “noindex” code, which tells search engines to not list the page in search results.)
Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom.
Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium.
This is the latest of a slew of broad-scale hacks in which hackers target companies that hold the keys to other companies’ cloud databases. By breaching firms like Klue, hackers are betting that compromising a single point-of-failure will let them steal data from a large number of organizations at once. Over the past year alone, hackers have increasingly targeted similar middleware providers, including Gainsight and Salesloft, to gain access to hundreds of companies’ data.
Klue said hackers had gained access to the company’s systems on June 12 using a “compromised legacy credential,” such as a password or a token, associated with an integration tool that allows customers to link their company’s cloud data to their Klue accounts.
The hackers were able to steal data from Klue’s customer clouds, such as Salesforce databases. Companies often store their customers’ personal information in Salesforce databases, making these a prime target.
Much of the stolen data includes business contact information, like names, email addresses, phone numbers, job titles, and some account information of their customers, according to the various affected companies.
It’s not clear how the hackers acquired the compromised credentials, or why Klue did not detect the theft sooner. Similar recent mass-hacks involving the compromise and misuse of credentials, such as at Snowflake and TanStack, have been linked to employees inadvertently installing password-stealing malware on the devices that they use for work.
Klue said it has called in incident response firm CrowdStrike, and has disconnected its integrations to prevent further access to customers’ data.
When contacted by TechCrunch on Monday, Klue CEO Jason Smith did not immediately respond to a request for comment, or answer questions about the incident, including if the company has received any communication from the hackers, such as a ransom demand.
Huntress, one of the security companies that had its data stolen in the hack, said in its write-up of the incident that the hackers had contacted it with a ransom note using an Australian company’s email address, whose servers were likely misused for the campaign.
Last June, Klue said it was preparing to lay off around half of its staff, around 100 people, as it doubled down on its AI investments. It’s not clear if the reduction in staff led to lapses in security at the company. It’s not clear who, beyond Smith, is responsible for cybersecurity at the company.
Klue does not currently list a person overseeing cybersecurity on its executive leadership page.
Do you know more about the Klue cyberattack? Are you a company affected by the breach? We would love to hear from you. To contact Zack Whittaker securely, reach out via Signal username zackwhittaker.1337 or by email: zack.whittaker@techcrunch.com.
