Technology

Klue Breach Widens: Original Hackers Delete Stolen Data, Second Group Emerges

Martin HollowayPublished 2w ago4 min readBased on 3 sources
Reading level
Klue Breach Widens: Original Hackers Delete Stolen Data, Second Group Emerges

Klue, a competitive intelligence platform, said the hackers responsible for stealing customer data in its June 12 intrusion are now removing that data — but a second group of threat actors has surfaced with their own threats against the affected companies, TechCrunch reports.

The initial attack used a compromised legacy credential — an old password or token that was never deleted or refreshed — to get inside Klue's systems on June 12, 2026. This gave attackers access to customer data including information from Huntress, a security operations platform, and several other cybersecurity firms. The exposure of sensitive data from a vendor that sells to the security industry and then cascades downstream through that same industry is a notable pattern worth examining.

A group calling itself Icarus claimed responsibility for the downstream exposure, posting data from Huntress and other companies on its leak site on June 22, according to Huntress's own investigation. The unusual part here is that Icarus is reportedly deleting the material. Criminal groups typically post stolen data to extort ransom payments or sell it for profit. Voluntary deletion without a publicized payment contradicts that standard approach — though the absence of announced payment does not confirm no money changed hands.

The complication is a separate group of hackers now making threats of their own. From current reporting, it is not yet clear whether they have the same data set or a portion of it. This pattern — a primary breach followed by opportunistic secondary actors — tends to extend the damage and timeline of any single intrusion well beyond the original incident.

The root cause here deserves attention. Stale credentials left unrotated in production systems remain one of the easiest ways for attackers to get inside large organizations — not because security teams are unaware of the risk, but because fixing it is operationally burdensome. Auditing, rotating, and decommissioning credentials across years of integrations costs time and resources. Software-as-a-service vendors with deep connections to customer systems are particularly attractive targets, since a single valid credential can unlock data from dozens of downstream organizations.

The fact that Klue's affected customers are heavily drawn from the security industry adds a specific layer of complexity. Cybersecurity vendors hold data like customer telemetry, detection rules, tool configurations, and organizational structure — information that has no obvious direct market value to most criminal groups but carries intelligence value to the right parties. Whether the groups making threats now are motivated by money, espionage, or disruption, the affected security firms face a notification problem that compounds their core job of protecting their own customers.

Huntress published its breach investigation timeline publicly, reflecting the kind of transparent incident handling the security industry consistently endorses and inconsistently executes. That transparency also makes Huntress a reference point for other affected organizations working through their own notification obligations.

The situation is still developing. A second threat actor group is making threats as of June 25, 2026, and the full scope of what was stolen before any deletion occurred has not been publicly confirmed. Organizations that are Klue customers — particularly those in security — should assume their data has been seen by at least two separate threat actor groups, regardless of what either group does with it next.