One Dead 2022 Password Unlocked 200 Companies — Including LastPass Itself
Nobody hacked LastPass. Nobody smashed a firewall. Somebody just… found a login everyone forgot to turn off. In 2022. And it still worked.
1 forgotten credential → 200+ companies breached → OAuth master-keys for LastPass, Tanium, Jamf, Gong, Sprout Social, Recorded Future — a security-firm buffet, served by the Icarus extortion crew.
Okay so you’re not ready for this one. A company called Klue — one of those “spy on your competitors” tools nobody outside of sales teams has heard of — made a little test login back in 2022 for a pilot project. Then everyone went home. Nobody deleted it. Four years later, a crew walks in through that same door and walks out holding the keys to a couple hundred other companies. Including the password company. I mean. Read that twice.

🧩 Dumb Mode Dictionary (read this first, everything's easy after)
| Scary word | What it actually means |
|---|---|
| Supply chain attack | You don’t rob the bank. You rob the guy who cleans the bank and has all the keys. |
| SaaS vendor | A random company you pay monthly so you don’t have to build your own tool. They hold your data. |
| OAuth token | A “let this app peek into my account” pass. Like giving a valet your car key — except the valet key opens everything. |
| Credential | A login. Username + password. That’s it. |
| Salesforce environment | The giant filing cabinet where companies keep every customer’s name, email, and support chat. |
| Extortion group | Hackers who steal your files then go “pay us or the internet sees these.” |
📉 What actually went down (the short version)
- Klue is a “competitive intelligence” tool — sales teams use it to track rivals. To do its job, Klue holds OAuth tokens (those valet keys) for tons of customers.
- Back in 2022, someone made a login for a small pilot test. The test ended. The login never got deleted.
- In June 2026, the Icarus crew found that zombie login, used it to grab the OAuth tokens Klue was holding, and quietly reached into customer Salesforce cabinets.
- Then they dumped the loot on an “Icarus” leak site and said pay up.
One dead password. That’s the whole hack. No genius exploit. Just housekeeping nobody did.
💥 The victim list is unhinged (these are the pros)
This wasn’t some sleepy mom-and-pop list. The companies that got splashed:
| Company | What they do |
|---|---|
| LastPass | Literally sells password security |
| Tanium | Enterprise endpoint security |
| Jamf | Manages Apple devices for big orgs |
| Recorded Future | Threat intelligence. They warn people about hacks. |
| Gong / Sprout Social / Insurity | Sales AI, social tools, insurance software |
The people whose entire job is not getting hacked… got hacked. Through a vendor they trusted. That’s the part that should keep you up at night — it wasn’t their fault, and they still lost.
🗣️ What the timeline's saying
- “So LastPass got breached again and again it wasn’t even their servers.” (yes — remember 2022? this is a different, brand-new mess)
- “The scariest hacks in 2026 aren’t hacks. They’re forgotten checkboxes.”
- “Every company has a Klue. You just don’t know its name yet.”
- The stolen stuff: names, phone numbers, emails, home addresses, and full support chat logs. Not passwords this time — but everything a scammer needs to pretend to be your bank.
🧠 Why a senior engineer went 'huh' at this
Here’s the brain-melter. Your security is now capped by the laziest company in your vendor list. You can have perfect passwords, two-factor on everything, a whole security team — and still get owned because some tool you pay $9/month left a test login breathing for four years.
The industry has a name for this pile-up of forgotten keys, tokens, and logins: secret sprawl. Studies keep finding millions of live secrets leaking every year. Nobody’s counting them. Which is exactly why there’s money on the table. Keep reading. ![]()
Cool. So the Whole Internet Runs on Forgotten Logins… Now What the Hell Do We Do? (⊙_⊙)

🕳️ The Ghost Key Hunter
Companies leave live passwords and API keys lying around in public code all the time — old test files, forgotten repos, screenshots. Free tools scan for them automatically. You find one, you report it (don’t touch it), you collect a bug-bounty reward. Legal, white-hat, and there’s a near-infinite supply.
Grab TruffleHog or GitGuardian (both free to start), point them at public GitHub, and file findings through HackerOne or Intigriti.
Example: A 24-year-old CS student in Lagos runs TruffleHog over trending GitHub repos every morning, finds a leaked cloud key in a startup’s public code, reports it responsibly through their bug-bounty page — collects a $1,500 bounty in a week. Rinse, repeat, 2–3 hits a month.
Timeline: First valid report in 2–4 weeks (rejections early — it’s a skill). Real income by month 3. Plateaus once you’re competing with the pros, but the leak supply literally never dries up.
🗺️ The Vendor Domino Mapper
Small businesses have NO idea who their tools share data with. You do the boring detective work: for one client, list every SaaS tool they use and every other company those tools plug into. Hand them a one-page “here’s your blast radius” map. Charge a flat finder’s fee.
Use BuiltWith to see what tech a company runs, cross-check against public breach news, and package it. No coding needed — it’s Googling with a spreadsheet.
Example: A freelancer in the Philippines pitches local law firms on WhatsApp: “₱8,000 and I’ll show you every outside company that can touch your client files.” Does the map in an afternoon with free tools. Books 6 firms in a month off pure fear-of-missing-the-next-Klue.
Timeline: First paying client in 1–2 weeks (fear sells fast). Slows after you’ve hit the obvious local businesses — by month 4, pivot to a monthly “re-check” retainer.
📡 The Leak-Site Early Warning Bell
When a crew like Icarus dumps data, the victim companies are often the last to notice. You can watch public breach feeds and free databases, then quietly alert small businesses that their info showed up — before their customers find out. Sell it as a monthly “we watch, you sleep” service.
Plug into the free Have I Been Pwned API, follow breach-tracking feeds like DataBreaches.net, and set up simple email alerts.
Example: A 27-year-old in Kenya sets up alerts for 40 local e-commerce shops’ domains. When one shows up in a fresh leak, he DMs the owner first with proof. Converts panic into a $40/month monitoring plan — 40 shops = steady rent money.
Timeline: First subscriber within days of your first real “hey, you got leaked” alert. Churns if months go quiet — bundle it with the Vendor Mapper above so clients feel value even on calm weeks.
🧹 The OAuth Token Janitor
Every company’s Google Workspace and Salesforce is stuffed with dead “connected apps” — old tools someone linked once and forgot. Each one is a Klue waiting to happen. You offer a dead-simple cleanup: sit with them for an hour, revoke every stale valet-key, hand them a clean report. Boring. Necessary. Nobody’s selling it.
It’s built-in and free — Google’s third-party access settings and Salesforce’s “Connected Apps OAuth Usage” page do the work. You just know where to click.
Example: A 23-year-old in Brazil offers “OAuth spring cleaning” to small agencies for R$600 a pop. Finds 30–50 dead app connections per company (there’s always a graveyard), screenshots before/after, done in 90 minutes. Word-of-mouth does the rest.
Timeline: First gig in 1–2 weeks. One-time-ish per client, so stack it into a “quarterly hygiene” retainer or you’ll run out of local companies by month 5.
⛏️ Sell the Shovels: The Secret-Scan Starter Kit
Everyone’s now scared of forgotten credentials, but devs don’t want to learn the scanning tools. So you package it: a ready-to-run GitHub Action that auto-scans a team’s code for leaked secrets on every push, pre-configured so they just copy-paste. Sell the template + a 10-min setup call.
Bundle TruffleHog + Gitleaks into one clean config, host it on Gumroad.
Example: An indie dev in India sells a “Never-Get-Klue’d Secret Scanner Pack” on Gumroad for $29. Posts the story of this exact breach as the sales pitch on r/SideProject. 200 sales in the first fear-wave month = solid.
Timeline: First sales within days of a good launch post. Spikes with every fresh breach headline (and there’s always a fresh one). Add new tool configs quarterly to keep it alive.
🛠️ Follow-Up Actions
| Move | Free tool to start | First step today |
|---|---|---|
| Hunt leaked keys | TruffleHog | Scan one trending public repo |
| Map vendor risk | BuiltWith | Profile one local business |
| Watch leak feeds | HIBP API | Add your own email first |
| Clean OAuth junk | Google Permissions | Audit your own account |
| Sell the scanner | Gumroad | Write the sales-page story |
Quick Hits
| You want to… | Do this |
|---|---|
| Check your connected apps and kill dead ones — 5 mins | |
| Search your email on Have I Been Pwned | |
| Start bug-bounty scanning with TruffleHog | |
| Read the LastPass breakdown | |
| Set up 2FA everywhere — even if the vault leaks, they still can’t log in |
The scariest hacker in 2026 isn’t a genius. It’s whoever remembers the login your company forgot.
!