Canadian market research firm Klue disclosed that hackers gained access to its system this month using outdated credentials dating back to 2022, stealing data from multiple corporate clients. The incident has affected password management company LastPass and several cybersecurity firms.
Hackers gained access to the system using old credentials.
Klue stated that the credential was initially provided in 2022 to a third party for a limited-scope pilot project. The company said that current investigations indicate the attacker exploited this credential to carry out the intrusion.
However, Klue did not specify the purpose or duration of the pilot, nor did it disclose the identity of the third party receiving the credential. The company also failed to explain why the credential was not revoked after the pilot ended.
The customer's cloud data has been further downloaded.
According to disclosures, Klue detected anomalies on June 12 and first publicly revealed the incident last week. After gaining access to Klue’s system, the hackers obtained OAuth tokens used to connect to customers’ external cloud services and databases, downloaded the associated data, and issued ransom threats to the affected organizations.
Known affected customers include LastPass and several cybersecurity firms. A hacker group named Icarus has claimed responsibility for the attack on a data leak website and threatened to release the stolen data if the ransom is not paid.
- Klue discovered the intrusion on June 12.
- The compromised credentials can be traced back to 2022.
- Attackers obtained customer-related OAuth tokens.
Still have questions about the source and management of credentials
Klue only described the credentials as "legacy credentials related to integrated services" in its blog post, without specifying whether these were employee login credentials or another type of access credential. The company also did not clarify whether the credentials were leaked by a third party or directly stolen from Klue’s own systems.
These details are crucial for reconstructing the attack path and influence external assessments of its internal security controls. Since the credential can be traced back several years, the incident has raised questions about its credential deactivation process and historical access management.
The company says it is reviewing access controls.
Klue stated that the investigation is ongoing and has initiated a comprehensive review of credential management, vendor access controls, monitoring capabilities, and deployment security processes.
At the time of the report, Klue did not disclose whether it had contacted the hackers or whether it was considering paying a ransom.