Klue Supply Chain Breach Exposes Customer Data at Multiple Cybersecurity Companies

A hacking group has claimed responsibility for a cyberattack on market intelligence provider Klue that resulted in the theft of data belonging to several corporate customers, including some of the cybersecurity industry’s most prominent companies.

Vancouver-based Klue, which enables businesses to conduct market intelligence by connecting their cloud data to its platform, confirmed on Friday that attackers had accessed and stolen customer data during a cyberattack that occurred about a week earlier. The company also published a blog post about the incident, although the page includes a “noindex” tag that prevents search engines from displaying it in search results.

The cybercrime group Icarus has taken credit for the attack, stating on its leak site that it intends to publish the stolen information on Monday unless Klue meets its ransom demands.

Klue has not disclosed how many of its hundreds of customers were affected by the breach. However, several organisations have confirmed that their data was compromised, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, Tanium, and Huntress.

The incident is the latest example of attackers targeting companies that act as gateways to other organisations’ cloud environments. By compromising providers such as Klue, hackers can potentially gain access to customer data from numerous businesses through a single breach. Similar attacks over the past year have targeted middleware providers, including Gainsight and Salesloft, allowing threat actors to access information belonging to hundreds of companies.

According to Klue, the attackers gained access to its systems on June 12 by using a compromised legacy credential, such as a password or authentication token, linked to an integration tool that enables customers to connect their cloud services with Klue.

Using that access, the attackers retrieved data stored in customers’ cloud environments, including Salesforce databases. Since many organisations use Salesforce to store customer records and business information, those systems have become attractive targets for cybercriminals.

Based on statements from the affected companies, much of the exposed information includes business contact details, such as names, email addresses, phone numbers, and job titles, as well as certain customer account information.

It remains unclear how the attackers obtained the compromised credentials or why the unauthorised activity was not detected earlier. Recent large-scale breaches involving compromised credentials at companies such as Snowflake and TanStack have been linked to employees unknowingly installing malware that steals passwords from work devices.

Klue said it has engaged incident response firm CrowdStrike to assist with the investigation and has disabled the affected integrations to prevent any further unauthorised access to customer data.

Cybersecurity company Huntress, which confirmed that some of its data was exposed in the breach, said the attackers sent a ransom note using an email address belonging to an Australian company, suggesting the organisation’s email infrastructure may have been misused during the campaign.

Last June, Klue announced plans to lay off nearly half of its workforce, affecting around 100 employees, as part of a strategy to increase investment in artificial intelligence. It remains unknown whether those staffing reductions contributed to any security gaps within the company. It is also unclear who currently oversees cybersecurity at Klue, aside from company leadership.

At present, Klue’s executive leadership page does not identify an executive specifically responsible for cybersecurity.