One Dead 2022 Password Unlocked 200 Companies — Including LastPass Itself

:key: One Dead 2022 Password Unlocked 200 Companies — Including LastPass Itself

Nobody hacked LastPass. Nobody smashed a firewall. Somebody just… found a login everyone forgot to turn off. In 2022. And it still worked.

1 forgotten credential → 200+ companies breached → OAuth master-keys for LastPass, Tanium, Jamf, Gong, Sprout Social, Recorded Future — a security-firm buffet, served by the Icarus extortion crew.

Okay so you’re not ready for this one. A company called Klue — one of those “spy on your competitors” tools nobody outside of sales teams has heard of — made a little test login back in 2022 for a pilot project. Then everyone went home. Nobody deleted it. Four years later, a crew walks in through that same door and walks out holding the keys to a couple hundred other companies. Including the password company. I mean. Read that twice.

Falling dominoes cascade

🧩 Dumb Mode Dictionary (read this first, everything's easy after)
Scary word What it actually means
Supply chain attack You don’t rob the bank. You rob the guy who cleans the bank and has all the keys.
SaaS vendor A random company you pay monthly so you don’t have to build your own tool. They hold your data.
OAuth token A “let this app peek into my account” pass. Like giving a valet your car key — except the valet key opens everything.
Credential A login. Username + password. That’s it.
Salesforce environment The giant filing cabinet where companies keep every customer’s name, email, and support chat.
Extortion group Hackers who steal your files then go “pay us or the internet sees these.”
📉 What actually went down (the short version)
  • Klue is a “competitive intelligence” tool — sales teams use it to track rivals. To do its job, Klue holds OAuth tokens (those valet keys) for tons of customers.
  • Back in 2022, someone made a login for a small pilot test. The test ended. The login never got deleted.
  • In June 2026, the Icarus crew found that zombie login, used it to grab the OAuth tokens Klue was holding, and quietly reached into customer Salesforce cabinets.
  • Then they dumped the loot on an “Icarus” leak site and said pay up.

One dead password. That’s the whole hack. No genius exploit. Just housekeeping nobody did.

💥 The victim list is unhinged (these are the pros)

This wasn’t some sleepy mom-and-pop list. The companies that got splashed:

Company What they do
LastPass Literally sells password security :skull:
Tanium Enterprise endpoint security
Jamf Manages Apple devices for big orgs
Recorded Future Threat intelligence. They warn people about hacks.
Gong / Sprout Social / Insurity Sales AI, social tools, insurance software

The people whose entire job is not getting hacked… got hacked. Through a vendor they trusted. That’s the part that should keep you up at night — it wasn’t their fault, and they still lost.

🗣️ What the timeline's saying
  • “So LastPass got breached again and again it wasn’t even their servers.” (yes — remember 2022? this is a different, brand-new mess)
  • “The scariest hacks in 2026 aren’t hacks. They’re forgotten checkboxes.”
  • “Every company has a Klue. You just don’t know its name yet.”
  • The stolen stuff: names, phone numbers, emails, home addresses, and full support chat logs. Not passwords this time — but everything a scammer needs to pretend to be your bank.
🧠 Why a senior engineer went 'huh' at this

Here’s the brain-melter. Your security is now capped by the laziest company in your vendor list. You can have perfect passwords, two-factor on everything, a whole security team — and still get owned because some tool you pay $9/month left a test login breathing for four years.

The industry has a name for this pile-up of forgotten keys, tokens, and logins: secret sprawl. Studies keep finding millions of live secrets leaking every year. Nobody’s counting them. Which is exactly why there’s money on the table. Keep reading. :backhand_index_pointing_down:

Cool. So the Whole Internet Runs on Forgotten Logins… Now What the Hell Do We Do? (⊙_⊙)

Old filing cabinet full of files

🕳️ The Ghost Key Hunter

Companies leave live passwords and API keys lying around in public code all the time — old test files, forgotten repos, screenshots. Free tools scan for them automatically. You find one, you report it (don’t touch it), you collect a bug-bounty reward. Legal, white-hat, and there’s a near-infinite supply.

Grab TruffleHog or GitGuardian (both free to start), point them at public GitHub, and file findings through HackerOne or Intigriti.

:brain: Example: A 24-year-old CS student in Lagos runs TruffleHog over trending GitHub repos every morning, finds a leaked cloud key in a startup’s public code, reports it responsibly through their bug-bounty page — collects a $1,500 bounty in a week. Rinse, repeat, 2–3 hits a month.

:chart_increasing: Timeline: First valid report in 2–4 weeks (rejections early — it’s a skill). Real income by month 3. Plateaus once you’re competing with the pros, but the leak supply literally never dries up.

🗺️ The Vendor Domino Mapper

Small businesses have NO idea who their tools share data with. You do the boring detective work: for one client, list every SaaS tool they use and every other company those tools plug into. Hand them a one-page “here’s your blast radius” map. Charge a flat finder’s fee.

Use BuiltWith to see what tech a company runs, cross-check against public breach news, and package it. No coding needed — it’s Googling with a spreadsheet.

:brain: Example: A freelancer in the Philippines pitches local law firms on WhatsApp: “₱8,000 and I’ll show you every outside company that can touch your client files.” Does the map in an afternoon with free tools. Books 6 firms in a month off pure fear-of-missing-the-next-Klue.

:chart_increasing: Timeline: First paying client in 1–2 weeks (fear sells fast). Slows after you’ve hit the obvious local businesses — by month 4, pivot to a monthly “re-check” retainer.

📡 The Leak-Site Early Warning Bell

When a crew like Icarus dumps data, the victim companies are often the last to notice. You can watch public breach feeds and free databases, then quietly alert small businesses that their info showed up — before their customers find out. Sell it as a monthly “we watch, you sleep” service.

Plug into the free Have I Been Pwned API, follow breach-tracking feeds like DataBreaches.net, and set up simple email alerts.

:brain: Example: A 27-year-old in Kenya sets up alerts for 40 local e-commerce shops’ domains. When one shows up in a fresh leak, he DMs the owner first with proof. Converts panic into a $40/month monitoring plan — 40 shops = steady rent money.

:chart_increasing: Timeline: First subscriber within days of your first real “hey, you got leaked” alert. Churns if months go quiet — bundle it with the Vendor Mapper above so clients feel value even on calm weeks.

🧹 The OAuth Token Janitor

Every company’s Google Workspace and Salesforce is stuffed with dead “connected apps” — old tools someone linked once and forgot. Each one is a Klue waiting to happen. You offer a dead-simple cleanup: sit with them for an hour, revoke every stale valet-key, hand them a clean report. Boring. Necessary. Nobody’s selling it.

It’s built-in and free — Google’s third-party access settings and Salesforce’s “Connected Apps OAuth Usage” page do the work. You just know where to click.

:brain: Example: A 23-year-old in Brazil offers “OAuth spring cleaning” to small agencies for R$600 a pop. Finds 30–50 dead app connections per company (there’s always a graveyard), screenshots before/after, done in 90 minutes. Word-of-mouth does the rest.

:chart_increasing: Timeline: First gig in 1–2 weeks. One-time-ish per client, so stack it into a “quarterly hygiene” retainer or you’ll run out of local companies by month 5.

⛏️ Sell the Shovels: The Secret-Scan Starter Kit

Everyone’s now scared of forgotten credentials, but devs don’t want to learn the scanning tools. So you package it: a ready-to-run GitHub Action that auto-scans a team’s code for leaked secrets on every push, pre-configured so they just copy-paste. Sell the template + a 10-min setup call.

Bundle TruffleHog + Gitleaks into one clean config, host it on Gumroad.

:brain: Example: An indie dev in India sells a “Never-Get-Klue’d Secret Scanner Pack” on Gumroad for $29. Posts the story of this exact breach as the sales pitch on r/SideProject. 200 sales in the first fear-wave month = solid.

:chart_increasing: Timeline: First sales within days of a good launch post. Spikes with every fresh breach headline (and there’s always a fresh one). Add new tool configs quarterly to keep it alive.

🛠️ Follow-Up Actions
Move Free tool to start First step today
Hunt leaked keys TruffleHog Scan one trending public repo
Map vendor risk BuiltWith Profile one local business
Watch leak feeds HIBP API Add your own email first
Clean OAuth junk Google Permissions Audit your own account
Sell the scanner Gumroad Write the sales-page story

:high_voltage: Quick Hits

You want to… Do this
:locked: Not be the next victim Check your connected apps and kill dead ones — 5 mins
:magnifying_glass_tilted_left: Know if you’re already leaked Search your email on Have I Been Pwned
:money_bag: Turn breaches into income Start bug-bounty scanning with TruffleHog
:brain: Understand the whole mess Read the LastPass breakdown
:telephone_receiver: Ditch reused passwords Set up 2FA everywhere — even if the vault leaks, they still can’t log in

The scariest hacker in 2026 isn’t a genius. It’s whoever remembers the login your company forgot.