Research firm Klue has disclosed that a credential from a restricted pilot program dating to 2022 was exploited by hackers earlier this month to obtain vast amounts of data from its corporate clients, including several firms in the cybersecurity sector.

This new information indicates that Klue might have had ample time to retire the credential utilized in the pilot, raising concerns about the company’s security measures and what preventive steps could have been taken to safeguard its clients’ data.

The intrusion at Klue, headquartered in Vancouver and detected on June 12, was made public last Friday, allowed cybercriminals to retrieve data from numerous clients, among them the maker of password manager LastPass and several other cybersecurity firms. The attackers leveraged their access to Klue’s systems, which store the keys — referred to as OAuth tokens — used to retrieve their clients’ data saved in various clouds and databases, enabling them to download that information and extort the firms.

Klue spokesperson Katie Berg informed TechCrunch that the ongoing investigation suggests the credential utilized by the attackers to access client data “was initially given to a third-party in 2022, for a limited pilot.”

When queried by TechCrunch, Klue refrained from explaining the pilot’s purpose, its duration, or disclosing the identity of the third-party that received the credential. Klue also did not clarify why the credential was not revoked after the pilot’s conclusion.

Klue did not reply to follow-up inquiries regarding the incident prior to publication.

Uncertainties surround the incident as the company states its investigation is ongoing.

Klue has not disclosed what type of credential was compromised, merely mentioning in a blog post that it was a “legacy credential linked to an integration service.” Klue also did not specify whether the credential was an employee’s username and password, or if it believes the credential was taken from the third-party rather than its own systems.

These specifics could be vital for understanding how the breach occurred — and for preventing similar incidents in the future.

In its statement to TechCrunch, Klue added that the firm is “undertaking a thorough review of credential management, vendor access controls, monitoring capabilities, and deployment security processes,” without providing additional details.

A hacking collective known as Icarus has claimed responsibility for the breach on its data leak platform and has issued public threats to release the stolen data if their ransom demands are not met.

Klue has not indicated whether it has engaged with the hackers or if it plans to acquiesce to their demands.

Do you have further information regarding the Klue cyberattack? Are you a business impacted by the breach? We would like to hear from you. To securely reach out to Zack Whittaker, contact him via Signal at username zackwhittaker.1337.