Klue hack leads to data breach at several cybersecurity companies

A hacking group has taken credit for a breach at market information provider Klue that allowed hackers to steal troves of data from the company’s corporate clients, which include some of the biggest names in cybersecurity.

Vancouver-based Klue, which allows companies to conduct market research by linking their data to their systems, said Friday that hackers stole data from an unspecified number of its customers during a cyberattack a week ago. (The blog contains a “noindex” code, which tells search engines not to include the page in search results.)

Cybercrime group Icarus claimed responsibility for the hack, saying on its leak site that it would publish the stolen data on Monday if the company did not pay the hackers’ ransom.

Klue did not say how many of its hundreds of customers were affected. Several companies have come forward to confirm that their data was stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium.

This is the latest in a series of large-scale hacks in which hackers target companies that hold the keys to other companies’ cloud databases. By compromising companies like Klue, hackers are betting that compromising a single point of failure will allow them to steal data from a large number of organizations at once. Over the past year alone, hackers have increasingly targeted similar middleware providers, including Gainsight and Salesloft, to access hundreds of companies’ data.

Klue said hackers gained access to the company’s systems on June 12 using “vulnerable legacy credentials,” such as a password or token, linked to an integration tool that allows customers to link their company’s cloud data to their Klue accounts.

Hackers were able to steal data from Klue customers’ clouds, such as Salesforce databases. Businesses often store their customers’ personal information in Salesforce databases, making it a prime target.

Much of the stolen data included business contact information, such as names, email addresses, phone numbers, job titles, and some account information for their customers, according to the various affected companies.

It’s not clear how the hackers obtained the compromised credentials, or why Klue didn’t discover the theft sooner. Similar recent mass hacks involving credential compromise and misuse have been linked, such as at Snowflake and TanStack, where employees unwittingly installed password-stealing malware on devices they use for work.

Klue said it called in incident response company CrowdStrike and disconnected its integrations to prevent further access to customer data.

When contacted by TechCrunch on Monday, Klue CEO Jason Smith did not immediately respond to a request for comment, or answer questions about the incident, including whether the company had received any communication from the hackers, such as a ransom demand.

Huntress, one of the security companies whose data was stolen in the hack, said in its incident report that hackers contacted it with a ransom note using the email address of an Australian company, whose servers were likely misused in the campaign.

Last June, Klue said it was preparing to lay off about half of its employees, or about 100 people, while doubling its investments in artificial intelligence. It is not clear whether the staff reductions have led to security vulnerabilities at the company. It’s not clear who, other than Smith, is in charge of cybersecurity at the company.

Klue does not currently list anyone overseeing cybersecurity on its Executive Leadership page.

Do you know more about the Klue cyber attack? Are you a company affected by the breach? We would love to hear from you. To contact Zack Whittaker securely, contact our Signal username zackwhittaker.1337 or email: zack.whittaker@techcrunch.com.