Klue reports that the hackers responsible for stealing customer data are removing it, but another group has surfaced with demands for extortion.

      **TL;DR** Klue reports that Icarus is in the process of deleting stolen data and their website is currently down, while a second hacker group claims to have stolen the same data from Icarus and is extorting victims.

      Klue, a market intelligence firm that recently experienced a data breach exposing customer information from LastPass, HackerOne, and several other companies, has stated that the hacking group Icarus is cooperating with them and deleting the stolen information. However, a second, unnamed hacker group has surfaced, claiming to have access to the same data and is directly attempting to extort the companies affected, as noted in a private customer update shared with TechCrunch.

      In a message to clients on Thursday night, Klue mentioned it is communicating with Icarus, which infiltrated its systems on June 12 by exploiting a compromised credential from 2022. Klue reported that Icarus indicated they are taking action to erase the data retrieved from Klue's customers and confirmed that the Icarus website is still down, with signs of deletion occurring.

      This apparent resolution is complicated by new developments. Icarus informed Klue that a second group of hackers has acquired the stolen data, allegedly due to a mistake made by the Icarus operator. This new group has listed the companies they claim are affected on their own site and are soliciting payments from victims.

      "Pay the ransom or we will leak everything if you do not pay us," stated the second group on their site, which claims that 195 Klue customers are involved, according to TechCrunch. They also suggested that Klue paid the original Icarus operator, whom they describe as a teenager from the UK. TechCrunch could not independently verify this claim regarding payment.

      Klue reassured customers that Icarus believes the second group only has sample data from a fraction of the customers, not the entire dataset. Furthermore, Icarus requested that Klue inform its customers not to pay the second group. Klue recommended that affected customers in touch with this group ask for a random data sample to confirm ownership.

      This breach has resulted in a growing list of confirmed victims. Supply chain attacks have become a prevalent issue in 2026, with the Klue incident following this pattern: rather than targeting individuals directly, the hackers compromised a vendor that possessed OAuth tokens granting access to customers’ Salesforce environments. Publicly confirmed affected companies include Gong, Jamf, HackerOne, Huntress, Insurity, LastPass, OneTrust, Recorded Future, ReliaQuest, Snyk, Sprout Social, and Tanium.

      Klue previously revealed that the attackers gained initial access through a third-party credential created in 2022 for a limited pilot program. This credential was never revoked, despite the integration it was intended for being abandoned. Klue has not disclosed who the credential belonged to or why it remained active for four years.

      The situation reflects a recurring theme in cybersecurity incidents in 2026: breaches do not conclude once the initial attacker is identified. Stolen data tends to circulate among criminal organizations, increasing the extortion risks for victims who may think the threat has subsided. It remains uncertain whether Icarus is genuinely deleting the data, or if the second group has sufficient information to fulfill its threats.

      A spokesperson for Klue did not respond to TechCrunch’s inquiry regarding whether the company paid Icarus. As of Thursday morning, the Icarus website was still down.