Klue Breach: Original Hackers Deleting Stolen Data as New Threat Actors Move In

Klue says the hacking group responsible for stealing customer data following its June 12 intrusion is now deleting that data — but a second set of threat actors has since emerged, making their own threats against affected organizations, TechCrunch reports.
The initial breach was carried out using a compromised legacy credential, a vector that allowed attackers to gain footholds inside Klue's systems on June 12, 2026. Among the downstream casualties: Huntress, the security operations platform, whose data was exposed alongside that of several other cybersecurity firms. The fact that a competitive intelligence and sales enablement vendor holds data sensitive enough to interest threat actors — and to cascade downstream into the security industry itself — is worth a moment's consideration.
The group Icarus claimed responsibility for the downstream exposure, listing data belonging to Huntress and other companies on its leak site on June 22, according to Huntress's own breach investigation. That Icarus is now reportedly deleting the stolen material is the more unusual development. Criminal groups listing data on leak sites typically do so to monetize it through extortion, ransom, or direct sale. Voluntary deletion without apparent payment being publicized runs counter to that playbook — though the absence of confirmed payment does not mean no payment was made.
The new complication is a separate group of actors who have now surfaced with threats of their own. The nature of those threats, and whether they involve the same dataset or a derivative of it, is not yet fully established from current reporting. This layering — a primary breach actor followed by opportunistic secondary actors — is a pattern that tends to extend the effective blast radius of any single intrusion well beyond the original incident timeline.
The legacy credential entry point deserves direct attention. Stale, unrotated credentials in production or near-production systems remain one of the most reliable exploitation surfaces in enterprise environments, not because defenders are unaware of the risk, but because the remediation burden — auditing, rotating, and decommissioning credentials across years of accumulated integrations — is operationally costly. SaaS vendors with deep customer data integrations represent a particularly high-value target for this approach: a single valid credential can yield data spanning dozens of downstream organizations.
The cybersecurity firm composition of Klue's affected customer list adds a specific wrinkle. Security vendors hold data that may include customer telemetry, detection logic, tooling configurations, or organizational structure — none of which has obvious direct monetization value to most criminal groups, but all of which carries intelligence value in the right hands. Whether the parties now making threats are motivated by money, intelligence collection, or disruption, the affected firms face a disclosure and containment problem that compounds their primary function of protecting their own customers.
Huntress has published its own breach investigation timeline publicly, which is the kind of transparent incident handling the industry consistently says it values and inconsistently practices. That transparency also makes Huntress a useful data point for other affected organizations working through their own notification obligations.
The situation remains active. A second threat actor group is making threats as of June 25, 2026, and the full scope of what was exfiltrated before any deletion began has not been publicly confirmed. Organizations that are Klue customers — particularly those in security, where the downstream sensitivity of exposed data is highest — should be operating on the assumption that data has been seen by at least two separate threat actor groups, regardless of what either group does with it next.


