A credential left active since a 2022 pilot program became the entry point for a breach that exposed Klue customer data.
Klue confirmed that attackers obtained a credential dating back to 2022 — apparently never revoked after a limited pilot concluded — and used it to access a system holding keys for accessing customers' data. The company has not disclosed which customers were affected, how many records were involved, or when the intrusion was detected. No CVE identifier, affected product versions, hardware scope, or patch guidance has been made public as of this writing.
The detail that should worry Klue's customers isn't the breach itself — it's the timeline. A four-year-old credential sitting active in a production-adjacent system suggests an access review process that either didn't exist or wasn't enforced. That's not a sophisticated attack; that's a housekeeping failure with serious consequences.
Credential sprawl after pilots, acquisitions, and staff turnover is one of the most common and least glamorous sources of enterprise breaches. Klue isn't alone in this failure mode, but the gap between 2022 and 2026 is hard to explain away.