A number of leading cybersecurity firms, including Huntress, HackerOne, Jamf, Recorded Future, and Tanium, have confirmed that their data was compromised following a recent cyberattack on market intelligence provider Klue. The breach, which occurred on June 12, saw hackers exploit a vulnerability in Klue's systems to access customer information.
Klue, a Vancouver-based company that facilitates market research by connecting to its clients' data systems, disclosed on Friday that an unspecified number of its customers had data stolen during the incident. The cybercrime group Icarus has claimed responsibility for the breach, stating on its leak site that the stolen data will be published on Monday if their ransom demands are not met. Klue has not yet confirmed the exact number of affected customers from its extensive client base.
The attackers gained entry to Klue’s systems using a “compromised legacy credential” linked to an integration tool. This tool allows customers to connect their cloud data, such as Salesforce databases, to their Klue accounts. By compromising this single point, hackers were able to extract data from multiple customer clouds. The stolen information largely consists of business contact details, including names, email addresses, phone numbers, job titles, and some account-specific information, according to statements from the affected companies.
This incident underscores a concerning and increasingly prevalent tactic by cybercriminals: targeting 'middleware' providers. These firms act as central hubs, holding access to the cloud databases of numerous other companies. By breaching a single provider like Klue, hackers can potentially compromise a vast array of organisations simultaneously. Similar broad-scale attacks have been observed recently, with middleware providers such as Gainsight and Salesloft also targeted over the past year.
Klue has engaged the incident response firm CrowdStrike to investigate the breach and has disconnected its integrations to prevent further unauthorised access to customer data. The company has not publicly disclosed how the compromised credentials were acquired or why the breach was not detected sooner. Previous mass hacks involving credential compromise, such as those affecting Snowflake and Tanstack, have sometimes been linked to employees inadvertently installing password-stealing malware.
The breach raises questions about Klue's security posture, particularly as the company announced plans to lay off around half of its staff last June, focusing instead on AI investments. It remains unclear if these staffing changes had any impact on the company's cybersecurity defences. Klue's executive leadership page does not currently list a dedicated individual overseeing cybersecurity.