Klue Confirms the Credential That Fueled Its Data Breach Was Four Years Old and Never Revoked

Since the breach was detected on June 12 and first disclosed last Friday, the Klue incident has shifted from a supply-chain intrusion story into something more damaging: a credential hygiene failure that may have been preventable for years.

Klue spokesperson Katie Berg told TechCrunch that the credential at the center of the attack was "originally provided to a third party in 2022, for a limited pilot." That's the only new concrete detail the company has offered. Every other material question — what the pilot was for, how long it ran, who the third party was, and why the credential wasn't revoked when the pilot ended — remains unanswered.

What Hackers Actually Did With It

Once inside Klue's systems using that legacy credential, the attackers got to something more valuable than raw data: OAuth tokens. These are the access keys Klue holds on behalf of customers to connect with their external cloud services and databases. According to both TechCrunch and Klue's own June 22 post by CEO Jason Smith, the attackers used those tokens to reach into customer systems, download data, and then threaten to publish it.

Known victims include LastPass and several other cybersecurity companies. The hacker group calling itself Icarus has posted ransom demands on a data leak site and is threatening release if payment doesn't come. Klue has not said if it has had contact with the hackers, or if it plans to pay their demands.

The Four-Year Question

The detail that the credential dates to 2022 is significant because it sharpens accountability. This was not a zero-day exploit or a sophisticated nation-state technique. A credential issued for a pilot project, apparently never decommissioned, sat in Klue's integration infrastructure for roughly four years. Klue's own blog post described it as a "legacy credential associated with an integration service."

Klue has not clarified whether the credential was a username-and-password combination, an API key, or something else. The company also hasn't said whether it believes the credential was stolen from the unnamed third party — meaning Klue might not have been the direct point of compromise. That distinction matters. If a vendor held the credential and was breached separately, Klue's internal security posture looks different than if the credential was sitting dormant inside Klue's own infrastructure. TechCrunch reported that Klue did not respond to follow-up questions about this before publication.

The Strongest Counterargument

Managing credentials across years-long integration histories is genuinely hard, especially for companies that grow through partnerships and third-party pilots. Vendors issue credentials for time-limited projects routinely, and the process of auditing which legacy credentials are still active versus which have been abandoned is a known gap across the industry — not unique to Klue. The KuCoin summary of the incident correctly notes that "historical access management" is a systemic challenge. If the credential was held by the third party rather than by Klue, Klue's visibility into its status would have been limited.

That said, "hard" and "acceptable" are different things. OAuth tokens with broad access to customer cloud data are not routine credentials. The risk profile of holding those keys on behalf of customers demanded a higher standard of credential governance, and Klue hasn't offered any evidence it had one.

What Klue Says It's Doing Now

In his June 22 post, CEO Jason Smith said Klue has temporarily disconnected its integrations and is working with external cybersecurity experts, including CrowdStrike. The company says it is conducting a "comprehensive review of credential management, vendor-access controls, monitoring capabilities, and deployment security processes," per Katie Berg's statement to TechCrunch. Klue has been providing daily customer updates through its support center, direct emails, and one-on-one meetings.

None of that addresses the backward-looking question: was there an internal audit process that should have flagged a four-year-old pilot credential before it became an attack vector? Klue hasn't answered that.

The Unanswered Question That Matters Most

The identity of the third party who held the 2022 credential is the unresolved thread that could change the entire picture. If that vendor was breached, they may be an unreported victim or an unreported weak link in a chain that ultimately hit LastPass and multiple security companies. Klue's refusal to name them, or to explain whether that vendor has been notified and investigated, leaves a gap in the public accounting that regulators and affected customers will likely press to close.