Klue's breach just got more complicated: a second hacking group is now threatening to release data the first group supposedly agreed to destroy.
Klue, a market intelligence platform, was breached earlier this month, exposing customer data from LastPass, HackerOne, and roughly a dozen other companies. The original attackers have reportedly begun cooperating with Klue and deleting the stolen data — an outcome that sounds reassuring until you realize that a second, unnamed group has surfaced claiming to hold the same information and is now attempting extortion. Klue disclosed both developments publicly on June 25.
This is the double-jeopardy problem with data breaches that companies rarely advertise: deleting data from one bad actor means nothing if copies already circulated. The breach's downstream victims — LastPass and HackerOne customers whose data passed through Klue — have no way to verify what's been deleted, and now they're negotiating with a threat they didn't know existed a week ago.
The situation is a useful reminder that breach containment theater — "the hackers agreed to delete it" — offers cold comfort when the data's provenance can't be controlled after the fact.