Klue Supply Chain Hack Spirals After Hackers Rob Icarus

The Klue supply chain hack now signals a deeper problem than the original breach: even the attackers may have lost control of the stolen data they were using for extortion.

That is the strange core of the incident. Klue, a market research provider, was hit by the Icarus ransomware group, and a second unnamed group now claims it broke into Icarus and stole the same customer data, according to TechRadar Pro. The result is a layered extortion mess: Klue customers face the original breach, a possible secondary theft, and competing criminal claims about who has what.

“We continue to communicate with the threat actor we have been in contact with (‘Icarus’). Icarus told us they are taking steps to delete the data taken from Klue customers. The Icarus site remains down and we have indications that Icarus is indeed taking steps to delete data taken from Klue customers.”

That message, shared privately with Klue customers and seen by TechCrunch, should have been a sign of containment. Instead, it became the opening act for a second extortion attempt.

The Klue supply chain hack turned cyber extortion into a thief-robs-thief story

The strangest part of the Klue supply chain hack is not that a vendor became a path into customer data. The sharper signal is that the criminal group accused of stealing the data now appears to have become a target itself.

Klue has said it is in contact with Icarus, which claimed possession of stolen data and threatened to leak it to pressure the company. Then a second unnamed group surfaced, claiming it had accessed a member of Icarus’s environment and taken the customer data Icarus had already stolen from Klue.

That matters because data extortion depends on one idea: the attacker controls the asset. If victims believe the attacker can delete, withhold, sell, or leak the files, the attacker has bargaining power. If another crew has copied the same data, that control collapses.

The strongest counterpoint is that the second group may be exaggerating. Klue told customers that Icarus said the unnamed group had only samples, not the full dataset. But the central risk remains. Once stolen data moves outside the original trusted environment, no victim can rely on one criminal’s promise that deletion has solved the exposure.

How Icarus allegedly lost control of Klue customer data

The reported chain starts with Klue’s systems and ends inside Icarus’s own infrastructure. TechCrunch reported that Klue said attackers accessed its systems on June 12 using a “compromised legacy credential” tied to an integration tool that let customers connect cloud data to Klue accounts.

That is why this incident hit beyond Klue. The affected companies named in the supplied reporting include LastPass, Gong, Jamf, HackerOne, Huntress, and others. TechCrunch also reported that companies including Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium confirmed they had data stolen.

The second breach, if accurate, happened after Icarus had already collected the data. The unnamed group claimed one Icarus member accidentally allowed it to connect to the server hosting the stolen Klue data. That claim has not been independently proven in the supplied material, but it fits the practical problem facing victims: attackers store stolen files somewhere, and those storage points can become new targets.

XOOMAR analysis: this is the part standard breach language often misses. “Exfiltrated data” is not static. It can be copied, mirrored, traded, sampled, reposted, or stolen again. If the second group has meaningful access, Klue’s ability to negotiate with Icarus becomes far less useful.

The evidence burden now sits on samples, logs, and timestamps

Criminal claims are cheap. In the Klue case, the facts that matter now are technical and narrow: who accessed what, when, from where, and how much data left each environment.

The unnamed group reportedly posted a list of affected companies on its own website and claimed to have stolen the data from Icarus. It also alleged that an “Icarus operator who is a teenager living somewhere in the UK or adjacent countries” had been paid by Klue to delete the stolen data. The supplied reporting says there is no evidence Klue paid Icarus.

Klue’s practical advice to customers was revealing. The company suggested customers ask the second group for random samples of their data to test whether the group actually has the full set. That is not comfort. It is triage.

XOOMAR analysis: file hashes, access logs, validated random samples, and a defensible timeline matter more than screenshots or leak-site theater. If multiple groups handled the same files, responders must prove provenance, not just possession.

Klue, customers, Icarus, and rival hackers all want different outcomes

Klue’s immediate job is to confirm the breach scope, preserve evidence, brief customers, and avoid saying more than its forensics support. The company has already said Icarus claimed to be deleting the data and that Icarus’s site remains down.

Customers have a different priority. They need to know whether their own records, employee details, customer contact data, cloud integrations, or authentication paths are exposed. If Klue’s integration access touched systems such as Salesforce databases, as TechCrunch reported, customers have to inspect connected environments rather than treat this as a vendor-only incident.

Icarus faces a reputational problem inside its own criminal market. A group that loses stolen data looks careless. Its threat to delete data also becomes less persuasive if a rival group can still extort the same victims.

The second group’s incentive is simpler: convert someone else’s theft into its own payday. Klue relayed one striking instruction from Icarus:

“Icarus has asked us to inform Klue customers to not make payment to this other party.”

That is a darkly comic sentence, but it also shows the power struggle. Two criminal actors now appear to be fighting over the same extortion surface.

Hackers stealing from hackers adds a supply chain twist

Cybercriminal infighting is not new. Rival crews expose each other, steal databases, seize leak sites, and weaponize identities. What makes the Klue incident sharper is the vendor chain beneath it.

A traditional breach has one victim and one attacker. Here, the alleged path runs from Klue to Klue customers, then from Icarus to a second unnamed group. The exposure chain now includes the original vendor, the vendor’s customers, the first attacker, and the attacker’s attacker.

For XOOMAR readers tracking how security failures can spill across organizations, this sits alongside broader cyber incident coverage such as Russian Hackers Turn Jaguar Land Rover Hack Into $2.5B Hit and Rogue Root Account Exposes Cisco SD-WAN Zero-Day Hack. The Klue case is different on the facts, but the common thread is concentration risk: one access point can create consequences far beyond the first system touched.

The counterpoint is that the second group’s access may be limited. If it only has samples, the damage is narrower. But breach response cannot assume there is one adversary or one copy of the data. The Klue supply chain hack shows why that assumption is now dangerous.

Klue users should treat the data as out of control until proven otherwise

The practical lesson is blunt: don’t rely on ransom negotiations, takedown claims, or attacker promises of deletion. Even if Icarus is deleting data, the unnamed group’s claim means customers have to plan as if at least some copied material may remain outside Klue’s reach.

XOOMAR analysis: affected organizations should prioritize a short list of actions tied to the reported facts.

• Credential rotation: Review credentials, tokens, and API keys connected to Klue or related integrations.
• Integration audit: Identify which cloud systems were linked to Klue, especially customer-data stores.
• Log review: Check access records around June 12 and after, including unusual exports or third-party activity.
• Phishing monitoring: Treat exposed business contact information as fuel for targeted outreach.
• Notification planning: Prepare customer and regulator communications only around validated data categories.

This is also a governance problem. Companies using SaaS integrations need clearer maps of where data flows, what privileges vendors hold, and which old credentials remain active. The supplied reporting says the attackers used a compromised legacy credential. That phrase should make every security team ask how many forgotten access paths still exist in their own stack.

After Icarus loses Klue data, attribution gets murkier

The next phase will hinge on proof, not claims. Evidence that would support Klue’s containment narrative includes validated deletion signals, limited sample possession by the second group, and logs showing no broader copying from Icarus infrastructure. Evidence that would weaken it includes fresh leaks, independently verified full datasets, or customer-specific files that the second group should not have if it only held samples.

More criminal-on-criminal raids are a rational risk, based on this case alone. Stolen breach archives have value, and the groups holding them may not secure their own servers better than the companies they attack.

The Klue and Icarus episode leaves one hard lesson: once data leaves a trusted environment, even the criminals may not know where it will land next.

Impact Analysis

• The incident shows that stolen customer data can spread beyond the original attackers, making containment harder.
• Victims may face multiple extortion attempts even after a ransomware group claims it will delete data.
• The case highlights the added risk companies inherit when sensitive data is exposed through a vendor.