Klue Double Extortion: Icarus Deletes Stolen Data as Second Hacker Group Demands Ransom from 195 Victims

The Unusual Twist: Icarus Deletes Data as Second Group Steps In

Icarus deleting stolen data. In a June 25 customer update reviewed by TechCrunch, Klue stated: "Icarus told us they are taking steps to delete the data taken from Klue customers. The Icarus site remains down and we have indications that Icarus is indeed taking steps to delete data taken from Klue customers" .

Second unnamed group emerges. Despite Icarus appearing to destroy the data, a second, unnamed hacking gang has obtained at least portions of the stolen information and is directly extorting Klue's customers . According to Klue's Thursday update, "Icarus told us that the other party has only samples of data and is opportunistically and fraudulently seeking payment directly from a number of our customers" . This second group posted a list of allegedly affected companies on its own extortion site .

195 Organizations Affected

Multiple reports confirm that approximately 195 organizations had data stolen. The Register reported "hundreds" of victims , with other sources specifying that 195 companies received direct extortion demands. Confirmed victims include Huntress, Recorded Future, HackerOne, Jamf, Tanium, Gong, OneTrust, Snyk, Sprout Social, Insurity, and others . Notably, LastPass was not listed in any of the sourced disclosure lists, contrary to some early unverified claims.

How the Attack Worked

• Entry: Attackers used a long-dormant, compromised API credential associated with an abandoned integration service to access Klue's backend .
• Token harvesting: Malicious code was planted to harvest OAuth tokens that customers had granted to Klue for connecting to Salesforce and other platforms (including Gong) .
• Data exfiltration: With those tokens, the attackers performed automated queries against connected Salesforce orgs, bulk-extracting CRM data such as business contacts, pricing information, and opportunity notes .
• SaaS supply-chain compromise: The incident is described as a supply-chain attack through third-party integrations. Klue stated there is no evidence that customer content stored within the Klue platform itself was impacted .

Official Guidance: Klue Advises Customers Not to Pay

Backed by CrowdStrike. Klue publicly confirmed it "engaged CrowdStrike" to support the investigation and validate response measures . The company took immediate steps: revoking affected credentials and tokens, removing unauthorized code, disabling impacted integrations, and notifying law enforcement .

Advisory on the second extortion group. In its June 25 update, Klue advised customers not to pay the second unnamed group. Instead, Klue recommended affected customers request proof-of-data samples before engaging with any extortion demands—and to forward any such communications directly to Klue or law enforcement for verification . The company emphasized that the second group appears to possess only "samples" of data and is acting opportunistically and fraudulently .

Ongoing remediation. Klue is conducting a full review of security controls, credential management, monitoring, and deployment processes to implement additional safeguards .