Daylila

Cybersecurity · Saturday, 27 June 2026

01 · Briefing · what happened

Two dozen companies were breached through a vendor they'd plugged into years ago

Cybersecurity 3 min 43 sources

A break-in at the market-research firm Klue rippled out to its customers — including the security firms LastPass and BeyondTrust — through standing connections nobody was watching.

Key takeaways

  • Attackers broke into the vendor Klue and used standing access tokens — not customer passwords — to reach roughly two dozen of its customers, including the security firms LastPass and BeyondTrust.
  • A token is a key you set up once and forget; it keeps opening a door long after you've stopped watching it, and a break-in at one shared vendor turns those keys against everyone plugged in.
  • It's worth reviewing which apps you've granted standing access to your email, calendar, and cloud storage, and cutting off the ones you no longer use.

A break-in at one company kept opening doors at two dozen others — including security firms that sell protection for a living. The way it spread says more than the break-in itself.

What happened

Between June 11 and 12, attackers broke into Klue, a market-research platform that companies use to track their competitors [2]. They didn’t smash through the front. They got in with legacy credentials — an old, still-working login that should have been retired — and from there grabbed OAuth tokens belonging to Klue’s customers, then copied data in bulk [2].

An OAuth token is a standing key. When you connect one app to another — say, your competitor-tracking tool to your sales database — you don’t hand over your password. You hand over a token: a key that lets the first app reach into the second on your behalf, again and again, without asking you each time. Convenient. Also durable: the key keeps working until someone deliberately turns it off.

So when the attackers held Klue’s customer tokens, they held working keys into each of those customers’ systems — without ever touching a single customer’s password.

Who it reached

Roughly two dozen companies have now told their own customers they were caught in it [2]. The list includes the password manager LastPass and the access-security firm BeyondTrust [2] — companies whose business is keeping other people’s logins safe. It also names AlertMedia, Blackbaud, Camunda, Cresta, Deel, Lucanet, Link11, and Tines [2].

Klue has hundreds of customers, and not all of them have reported in, so the real reach may be wider [2]. The data taken was mostly business contact and support records — not, by current accounts, passwords [2]. Salesforce, whose system many of these companies connected to Klue, switched the Klue integration off on June 17 and, as of reporting, had not turned it back on [2]. The sales-analytics firm Gong cut its Klue connection too [2].

A group calling itself Icarus claimed the theft and listed Klue and several customers on a leak site, demanding a ransom [2]. Klue later said the group had begun deleting the stolen data [2] — a claim, not a guarantee. Once data has been copied, the people who took it decide what survives.

Why this is the shape that matters

Notice what the attackers never needed: a customer’s password, a customer’s second login check, a flaw in any customer’s own systems. They needed one weak door at the shared vendor, and the standing keys behind it did the rest.

This is how a supply-chain attack works — and why it’s worth understanding even if you’ve never heard of Klue. A supply-chain attack breaks into one supplier in order to reach everyone who relies on it. You can build a perfect wall around your own house and still be walked into through a door you opened years ago to a company you’ve half-forgotten.

A separate fix worth knowing about

In quieter news, Amazon patched a flaw in Amazon Q, its AI coding assistant for the popular VS Code editor [8]. Researchers at the security firm Wiz found that simply opening a booby-trapped code project could trick the assistant into leaking a developer’s cloud credentials [8]. AWS was told on April 20 and shipped a fix on May 12 [8]. The lesson rhymes with Klue’s: the danger arrived not as an attack on you, but as a trusted helper doing what it was built to do, pointed at the wrong thing.

The everyday version of all this isn’t a coding tool or a research platform. It’s the long list of apps you’ve granted access to your email, your calendar, your cloud storage — each holding a standing key you set up once and never looked at again.

02 · Lesson · why it matters

The keys that keep working after you've stopped watching

A password is something you prove each time. A token is a key you hand over once — and convenience is exactly the property that makes it dangerous to forget.

A door you opened years ago

Someone at each of those two dozen companies once did a small, sensible thing. They connected their competitor-tracking tool to their sales system so the two could share data without anyone copying spreadsheets by hand. It took two clicks. It worked. They moved on.

That small connection is the whole story. When attackers broke into Klue this month, they didn’t go hunting for each customer’s password. They didn’t have to. The connection was already built, and the key to it was already sitting there, still turned on.

Why the key outlives the moment

Most of us picture security as a password — something you prove you know, fresh, each time you log in. That’s a check. It happens, then it’s over.

A token is different. A token is a key you hand over once, so that one system can keep reaching into another on your behalf without bothering you again. That is the entire point of it. Nobody wants to re-approve every data sync forever. So the key is designed to keep working — quietly, on its own, until someone deliberately takes it back.

Read that property again, because it’s where the danger lives. The same thing that makes the key convenient — it keeps working without you — is the thing that makes it dangerous once you’ve forgotten it. A door that only opens when you’re standing there is safe when you walk away. A door that stays unlocked because you set it that way years ago is not.

The trust ran through one shared point

Here’s the part that turned one break-in into two dozen.

Each customer trusted Klue. Klue, in turn, held a working key into each customer’s systems. So the trust didn’t stay between two parties — it pooled at a single shared point. Whoever controlled that point controlled every key flowing through it.

The attackers found the weakest possible entry: an old login that should have been retired but still worked. One forgotten credential at the vendor. From there, the keys did the spreading. The customers’ own walls were never the problem. Some of those customers sell security walls for a living — and it made no difference, because the attack didn’t come at their wall. It came through the door they’d opened to a partner and stopped watching.

You are already holding some of these keys

This is the half of the picture that’s easy to read about a company and miss about yourself.

Think of the apps you’ve signed into “with Google” or “with your Apple account.” Each time, you didn’t give them your password — you handed over a token. The calendar tool that reads your schedule. The years-dead app you tried once. The service you stopped using but never disconnected. Every one of those is a standing key into your email or your files, set up once, working ever since, watched by no one.

You are not above this system, reading about other people’s mistake. You are inside it, holding your own quiet pile of keys. Most of them are fine. The point isn’t fear — it’s that you can’t decide about a door you’ve forgotten exists. The companies caught in the Klue breach weren’t careless. They were just no longer looking at a connection that was still, faithfully, working.

On the whole

The forgotten connection is everywhere once you see it — between companies and their vendors, between you and the apps you’ve stopped using, between any two things that were linked once for convenience and never unlinked. The link keeps its promise long after the reason for it is gone. That’s not a flaw to be ashamed of; it’s the cost of a world built to save us from re-approving everything, forever.

What it asks of us is small and humble: every so often, to look at the keys we’ve handed out and ask which doors we’d actually want open today. Most of what fails in security isn’t dramatic. It’s a sensible decision from years ago that nobody went back to check — and a system in which one of us forgetting becomes a way into all of us.

03 · Lab · your turn

The Forgotten Keys

Rehearse reviewing the standing access you've granted and revoking the keys you no longer use, before a vendor breach turns them against you.

04 · Hope · carry this

The doors we forget are also the easiest ones to quietly close — the same week a breach spread through standing keys, the firms it touched proved how fast a connection can be cut once you simply look. None of us can watch everything, but the small, honest act of checking what we've handed out is always within reach, and it works.

More from Cybersecurity

A flaw hid in software on billions of machines for 25 years — until an AI went looking Malware learns to talk its way past the AI now reading it A new flaw lets a stranger's code change run on Microsoft's and Google's own machines

Across the beats

Britain moves to keep the World Cup free — as the rest of sport learns to charge for everything Google starts cutting its Play Store fee — the price of being the only road to your phone Fertilizer prices are finally falling. The farmer who already bought his won't feel it for a year.