Klue reports that the hackers responsible for stealing customer data are in the process of deleting it, while a second group has come forward with demands for extortion.

      **Summary:** Klue reports that Icarus, the group responsible for a recent data breach, is deleting the stolen information and has taken down its website. However, another hacker group claims to have acquired the same data and is now extorting affected companies.

      Klue, a market intelligence company whose breach this month exposed customer data from LastPass, HackerOne, and several other firms, announced that Icarus is cooperating and deleting the stolen information. Nevertheless, an unnamed hacker group has surfaced, asserting it has the same data and is reaching out to victims for extortion, as detailed in a confidential customer update obtained by TechCrunch.

      In a message to customers on Thursday evening, Klue acknowledged ongoing communication with Icarus, which hacked its systems on June 12 using a compromised credential from 2022 to steal customer information. Klue noted that Icarus is reportedly deleting the data and that their website is currently down, with signs indicating the deletion is happening.

      This resolution comes with a complicating factor: Icarus informed Klue that a second group of hackers gained access to the stolen data, allegedly due to an error made by Icarus. The second group has listed the firms it claims are affected on its website, demanding ransom from the victims.

      The second group's message read, "Pay the ransom or we will leak everything if you no pay us," asserting there are 195 customers of Klue impacted, as per TechCrunch. They also claimed that Klue paid the original Icarus hacker, described as a teenager in the UK, a statement TechCrunch could not verify independently.

      Klue reassured customers by stating that Icarus believes the second group only has samples of data from a limited number of customers, not the complete dataset. Icarus further urged Klue to inform its clients not to pay the second group. Klue recommended that affected customers who communicate with this group ask for a random sample of data to confirm possession.

      The breach has resulted in a significant number of confirmed victims. Supply chain attacks have become prevalent in 2026, with the Klue incident exemplifying this trend. Instead of attacking directly, the hackers compromised a vendor that had OAuth tokens providing access to customers' Salesforce accounts. Companies that have confirmed their involvement include Gong, Jamf, HackerOne, Huntress, Insurity, LastPass, OneTrust, Recorded Future, ReliaQuest, Snyk, Sprout Social, and Tanium.

      Klue previously stated that initial access was gained through a third-party credential created in 2022 for a limited pilot program. This credential was never revoked, even after the integration for which it was intended was abandoned. Klue has yet to reveal who was assigned this credential or why it remained active for four years.

      This situation highlights a recurring pattern observed in 2026 regarding cybersecurity incidents: breaches do not conclude when the initial culprit is discovered. Stolen data tends to circulate among criminal groups, increasing the extortion risks for victims who may believe the threat has dissipated. Questions remain for Klue’s customers about the authenticity of Icarus’s data deletion and the extent of the second group's possession of the data.

      A spokesperson for Klue did not reply to TechCrunch's inquiry regarding whether the company made any payment to Icarus. As of Thursday morning, the Icarus website was still non-operational.