Security/ ransomware · data breach · supply chain · extortion

Klue's Stolen Data Got Stolen From the Hackers Who Stole It

After ransomware group Icarus stole Klue customer data, an unnamed second group stole it from Icarus and is now extorting those customers directly.

A second hacker group has stolen Klue's customer data from Icarus, the ransomware gang that originally took it, and is now running its own extortion campaign against Klue's customers.

Klue, a market intelligence platform, disclosed earlier this month that the Icarus ransomware group had breached its systems, with the fallout hitting customers including LastPass, Gong, Jamf, HackerOne, and Huntress. Klue entered talks with Icarus, which claimed to be deleting the stolen files. Then a second, unnamed group emerged claiming it had accessed the server where Icarus stored the data after an Icarus member accidentally left a connection open. That group is now directly extorting Klue's affected customers and has posted an unverified claim that an Icarus operator, described as a UK-based teenager, had already been paid by Klue to delete the data.

This is what supply chain compromises look like when they go wrong a second time. Once data leaves a company's control, the company loses the ability to govern it and can only appeal to whoever holds it. Klue has reached that position: it is now relaying messages from the original attackers to its own customers, including Icarus's request that they not pay the rival group.

Klue advised customers to ask the second group for random samples of their data to gauge whether the group actually holds the full dataset. That is a reasonable starting point, though a random sample proves only what an extorter chooses to show — it cannot confirm what else they may be sitting on. Readers should note that this verification method is heuristic at best: a thief with partial data can produce a convincing sample regardless of whether they have the rest.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →