Klue says the hackers who stole its customer data are deleting it, but now a second group is making threats

TL;DR

Klue says Icarus is deleting stolen data and its site is down, but a second hacker group claims it stole the data from Icarus and is extorting victims.

Klue, the market intelligence firm whose breach earlier this month exposed customer data at LastPass, HackerOne, and nearly a dozen other companies, says the hacking group responsible is now cooperating and deleting the stolen data. But a second, unnamed group of hackers has emerged claiming to possess the same data and is attempting to extort affected companies directly, according to a private customer update obtained by TechCrunch.

In a Thursday night communication to customers, Klue said it is in contact with the hacking group Icarus, which breached its systems on June 12 and stole customer data by exploiting a compromised credential from 2022. “Icarus told us they are taking steps to delete the data taken from Klue customers,” the company wrote, adding that the Icarus website remains down and that there are indications the deletion is underway.

The apparent resolution comes with a significant complication. According to Klue, Icarus informed the company that a second group of hackers obtained the stolen data, reportedly by exploiting a mistake made by the Icarus operator. This second group has posted a list of allegedly affected companies on its own website and is demanding payment from victims.

“Pay the ransom or we will leak everything if you no pay us,” the second group wrote on its site, where it claimed there are 195 affected Klue customers in total, according to TechCrunch. The hackers also alleged that Klue paid the original Icarus operator, whom they described as a teenager in the UK. TechCrunch said it could not independently verify the payment claim.

Klue told customers that Icarus believes the second group has only samples of data for a subset of customers, not the full dataset. The company also relayed a striking instruction from Icarus: it asked Klue to tell its customers not to make payment to the second group. Klue suggested that affected customers in contact with the second group request a random sample of data as proof of possession.

The breach has already produced a long list of confirmed victims. Supply chain attacks have become a defining pattern in 2026, and the Klue incident follows the same template: rather than attacking targets directly, the hackers compromised a vendor that held OAuth tokens granting access to customers’ Salesforce environments. Companies that have publicly confirmed they were affected include Gong, Jamf, HackerOne, Huntress, Insurity, LastPass, OneTrust, Recorded Future, ReliaQuest, Snyk, Sprout Social, and Tanium.

Klue previously disclosed that the attackers gained initial access using a third-party credential created in 2022 as part of a limited pilot programme. The credential was never revoked, even though the integration it was built for was abandoned. Klue has not identified who the credential was assigned to or why it remained active for four years.

The situation illustrates a dynamic that cybersecurity incidents in 2026 have repeatedly demonstrated: breaches do not end when the initial attacker is identified. Stolen data moves between criminal groups, multiplying the extortion risk for victims who may believe the threat has passed. Whether Icarus is genuinely deleting the data, or whether the second group possesses enough to carry out its threats, are questions that Klue’s customers cannot yet answer with confidence.

A Klue spokesperson did not respond to TechCrunch’s request for comment on whether the company paid Icarus. The Icarus website remained down as of Thursday morning.