Market intelligence company Klue has revealed that the credentials used by hackers to steal customer data earlier this month were originally issued in 2022 as part of a limited pilot project.
The disclosure raises new questions about why the credential remained active years after the pilot ended and whether stronger security controls could have prevented the breach.
The Vancouver-based company detected the cyberattack on June 12 and publicly disclosed it last week. The incident allowed hackers to gain access to Klue’s systems and steal customer data from several organizations, including password manager company LastPass and other cybersecurity firms.
According to Klue, the attackers used a credential associated with an old integration service to access OAuth tokens stored within its platform. Those tokens were then used to access customer data stored in external cloud services and databases. The stolen information was allegedly downloaded and later used in extortion attempts against affected companies.
Klue spokesperson Katie Berg said the credential involved in the attack had originally been provided to a third party during a limited pilot in 2022. However, the company declined to explain the purpose of the pilot, identify the third party involved, or clarify why the credential had not been revoked after the pilot concluded.
The company has also not disclosed exactly what type of credential was compromised. While Klue described it as a “legacy credential associated with an integration service,” it did not confirm whether it was a username and password, an API key, or another form of authentication. Klue also has not said whether the credential was stolen from the third party or from its own environment.
Security experts often view these details as important because they can help explain how attackers gained access and what steps organizations can take to prevent similar incidents in the future.
Klue said its investigation remains ongoing and that it is conducting a broad review of its credential management practices, vendor access controls, monitoring capabilities, and deployment security processes.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Meanwhile, a hacking group known as Icarus has claimed responsibility for the breach and has threatened to publish the stolen data unless a ransom is paid. Klue has not disclosed whether it has communicated with the attackers or if it plans to respond to any ransom demands.
