LastPass Faces Another Breach: Customer Support Data Compromised Again

TL;DR

• LastPass has confirmed that hackers accessed customer names, email addresses, phone numbers, physical addresses, and sensitive customer support case data via a supply chain breach at market-intelligence platform Klue.
• The attackers exploited stolen OAuth tokens linked to LastPass’s Salesforce environment, but the company insists its password vaults and core infrastructure remain secure and unaffected.
• This incident marks the second major security event linked to LastPass in recent years, raising fresh questions about the password manager’s security posture and its reliance on third‑party integrations.

LastPass Faces Another Breach: Customer Support Data Compromised Again

LastPass has disclosed a new data incident in which hackers obtained personal information and customer support case data through a breach at Klue, a third‑party market intelligence and competitive‑analysis platform used by LastPass’s go‑to‑market teams. The incident, first reported by Klue on June 12, involved attackers compromising Klue’s infrastructure and stealing OAuth tokens that granted access to various customer systems, including LastPass’s Salesforce environment.

LastPass said it learned of the incident on the same day and immediately launched an investigation. The company emphasized that the breach originated with Klue and affected only systems integrated with Klue’s application, such as Salesforce and Gong, and that LastPass’s own products, services, and infrastructure were not directly compromised.

What data was exposed?

According to LastPass’s incident post and corroborating reports, the information accessed by the attackers was limited to standard business contact and CRM data, including:

• Customer names
• Phone numbers
• Email addresses
• Physical addresses
• Customer support case data
• Sales‑related records and account information

The exact contents of the customer support tickets are not fully disclosed, but such records can contain fragments of sensitive or private information, such as support issues, technical details, and internal communications. LastPass has not revealed the number of affected customers, but it is notifying those whose information was accessed and urging them to remain vigilant for follow‑on attacks.

Notably, LastPass stressed that customer vaults remain secure. The attackers did not gain access to encrypted password vaults, and there is no evidence they reached LastPass’s core password‑management infrastructure or the encrypted data stored within user vaults.

How the breach happened

The attack unfolded via a supply chain compromise at Klue. Security researchers and affected companies describe the incident as a “security domino effect,” beginning with attackers gaining access to Klue’s systems and then using stolen OAuth tokens to pivot into customer environments.

In LastPass’s case, the threat actor leveraged OAuth tokens Klue held for LastPass to access its Salesforce environment. Salesforce is widely used for customer relationship management, storing contact details, account information, and support case histories. Because Klue integrated with LastPass’s Salesforce instance, the attackers could query and exfiltrate records from multiple organizations simultaneously.

A hacking and extortion group calling itself Icarus has claimed responsibility for the attack, threatening to leak stolen data unless companies pay a ransom. LastPass has not indicated whether it has engaged with the group or paid any ransom, but it has confirmed that it has revoked the exposed OAuth tokens and taken steps to limit further access.

Company response and remediation steps

LastPass outlined several immediate actions it took upon learning of the incident:

• Discontinued all employee access to Klue and removed Klue integrations from its Salesforce environment.
• Rotated the compromised OAuth tokens and reviewed other integrations for unusual activity.
• Engaged third‑party forensic investigators and law enforcement to support the investigation.
• Coordinated with the broader security community through its Threat Intelligence, Mitigation, and Escalation (TIME) team to share tactics, techniques, and procedures used by the attackers.

The company also said it is implementing additional safeguards and strengthening its protocols around third‑party integrations, credential management, and monitoring. Salesforce and LastPass have removed the Klue integration from affected environments, and Klue has committed to bolstering its own security controls in the wake of the breach.

Implications for users

For LastPass users, the primary risk is not that their passwords have been decrypted, but that their contact and support information can be used in targeted phishing and social engineering campaigns. Armed with names, email addresses, phone numbers, and details from support cases, attackers can craft highly convincing messages that appear to come from LastPass or related services.

LastPass has advised users to:

• Be cautious of unsolicited emails, calls, or messages referencing recent support cases or account issues.
• Avoid clicking links or opening attachments in unexpected communications.
• Never share their master password or two‑factor authentication codes with anyone.

The company also encourages users to keep their contact details up to date and to monitor their accounts for any unusual activity. While the incident does not require users to change their master passwords, it underscores the importance of maintaining strong, unique passwords and enabling multi‑factor authentication wherever possible.

Context within LastPass’s recent security history

This latest incident comes as the second major security event tied to LastPass in recent years. In 2022, a separate breach involving a compromised senior DevOps engineer’s personal computer led to the unauthorized access and exfiltration of backup databases and copies of customer password vaults. That incident ultimately prompted regulatory action, including a £1.2 million fine by the UK Information Commissioner’s Office (ICO) and a reported $24.5 million settlement in related litigation.

Analysts warn that the Klue‑linked breach, while less severe in terms of direct impact on vaults, reinforces concerns about LastPass’s reliance on complex third‑party integrations and its broader security culture. The fact that attackers were able to pivot from a market‑intelligence platform into a password manager’s Salesforce environment highlights how seemingly peripheral tools can become high‑value targets in a supply chain attack.

What this means for the broader security industry

The Klue‑Salesforce‑LastPass chain is part of a broader pattern in which attackers exploit trusted integrations and OAuth‑based access to move laterally across organizations. Similar incidents have affected other security and technology firms that used Klue’s Salesforce integration, demonstrating how a single compromised credential or misconfigured integration can cascade into widespread data theft.

Security teams are now reevaluating their use of third‑party integrations, tightening OAuth token policies, and enhancing monitoring for anomalous queries from external applications. The incident also underscores the need for robust supply chain risk management, including regular audits of vendor security practices and clear incident‑response playbooks for integration‑related breaches.

Looking ahead

LastPass has stated that remediation of the Klue‑related incident is complete and that there is no evidence of further unauthorized access. The company continues to notify affected customers and remains in contact with law enforcement and security partners. For users, the key takeaway is vigilance: while their vaults remain protected, their personal contact and support information is now in the hands of attackers who may use it for highly targeted scams.

As the cybersecurity community pieces together the full impact of the Klue supply chain breach, LastPass faces renewed scrutiny over how it secures not just user vaults, but the broader ecosystem of tools and platforms that sit around its core service. For a company entrusted with the keys to users’ digital lives, the pressure to demonstrate resilience beyond its own infrastructure has never been higher.

AndroGuider Team

Articles written by the AndroGuider team. We try to make them thorough and informational while being easy to read.