The hackers agreed to delete your data. Then a second group showed up with the same files.

195 companies just learned that paying the first attacker doesn't end the breach.

Klue's original hackers — a group called Icarus — told the market intelligence firm they're deleting stolen customer data. Their website is down. Deletion is supposedly underway.

Then a second group appeared.

"Pay the ransom or we will leak everything if you no pay us."

They claim they obtained the data from Icarus after the original operator made a mistake. They've published a list of 195 allegedly affected companies. They're demanding payment directly from victims.

The companies caught in this include LastPass, HackerOne, Recorded Future, Tanium, Jamf, Snyk, OneTrust, Gong, Sprout Social, and Huntress. Enterprise security tools. CRM data. Customer support records. Everything.

The entry point was a credential from 2022. Created for a pilot programme that was abandoned. Never revoked. Sat there for four years. One legacy OAuth token opened the door to 195 companies' Salesforce environments.

Icarus is now asking Klue to tell its customers not to pay the second group. Klue can't confirm whether the second group has the full dataset or just samples.

This is the new reality of supply chain breaches in 2026. The breach doesn't end when the attacker is identified. Stolen data moves between criminal groups. Each handoff multiplies the extortion risk.

Audit every third-party integration your security team has. Check OAuth tokens created more than 12 months ago. If a vendor integration was abandoned but the credential wasn't revoked, kill it today. The credential you forgot about is the one that's already been sold.