Your cybersecurity vendor just got hacked through a vendor it never audited. Then the hackers got hacked.

Klue, the market intelligence platform that sells competitive data to security firms, was breached on June 12.

The attack vector was a credential from 2022. Never revoked. Four years old.

The Icarus group used it to steal OAuth tokens connecting Klue to customers' Salesforce environments. The list of confirmed victims reads like a who's who of enterprise security:

LastPass. HackerOne. Recorded Future. Snyk. Tanium. Jamf. OneTrust. Huntress.

195 customers total, according to the second group.

Here's where it gets worse. Icarus says it's deleting the data. But a second, unnamed hacking group emerged claiming it stole the same data from Icarus by exploiting an operator mistake.

Their message to victims: "Pay the ransom or we will leak everything if you no pay us."

Your CISO's vendor shortlist just became a threat surface. These are the companies you trust to secure your infrastructure. They couldn't secure their own.

Audit every vendor integration that holds OAuth tokens or API keys. If you don't know which vendors have persistent access to your Salesforce, your code repositories, or your customer data, you're already exposed.

A four-year-old credential just compromise