Market research company Klue has confirmed that a credential dating back to 2022, part of a limited pilot, was exploited by hackers earlier this month to steal vast amounts of data from its corporate customers, including several cybersecurity companies. This raises questions about Klue's security posture and why the credential was not decommissioned after the pilot ended.
2022 credential still active after pilot concluded
Klue spokesperson Katie Berg stated that the credential was originally provided to a third party for a limited pilot, but the company did not explain why it was never revoked. This oversight left a door open for attackers, similar to the Tata Electronics cyberattack, where confidential documents were leaked. The hackers used the credential to access Klue's systems and stole OAuth tokens, which are keys to customer data stored in other clouds and databases.
Sponsored Protocol
Hackers exploited OAuth tokens to access sensitive customer data
The breach, detected on June 12, allowed the hacker group Icarus to steal data from password manager LastPass and other cybersecurity firms. Icarus has threatened to release the stolen data unless a ransom is paid. Klue has not disclosed whether it has communicated with the attackers or plans to pay. OAuth tokens are critical security elements; as explained on Wikipedia, they grant access without passwords, making their protection essential. This incident mirrors the Meta Oversight Board's call for stronger protections agains data misuse.
Sponsored Protocol
Klue launches comprehensive review of credential management
Klue announced a full review of credential management, vendor-access controls, and security processes. However, it has not clarified the type of credential stolen or whether it believes the credential was taken from the third party. The incident underscores the need for strict credential hygiene, as discussed in the article on Rate Limiting for APIs. Transparency and prompt disclosure are vital to mitigate damage and prevent recurrence.
