LastPass Confirms Data Breach in Supply Chain Attack – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

LastPass Confirms Data Breach in Supply Chain Attack

Popular password manager LastPass has confirmed that customer data was compromised in a supply chain attack via third-party platform Klue. OAuth tokens were stolen, leading to access to its Salesforce environment.

LastPass logo with a visual of a broken chain and a lock, symbolizing a supply chain attack.

What Happened

LastPass, one of the world's most popular password management platforms, confirmed on June 23, 2026, that unauthorized access to some of its customer data occurred as a result of a supply chain attack. The incident began with a breach of the systems of Klue, a third-party market intelligence platform used by LastPass's marketing and sales teams. LastPass stated that it first became aware of the incident on June 12th after being notified by Klue and immediately launched a comprehensive investigation.

The attack did not directly target LastPass's own infrastructure or its password vaults. Instead, cybercriminals used the Klue platform as a launchpad. Such attacks are known for targeting the weakest link in a company's security chain, namely its business partners or service providers who may be less secure. In the LastPass case, the attackers' target was the authentication tokens held by Klue, which provided access to its customers' other systems (in this case, Salesforce). The company emphasized in its statement that its products, services, and core infrastructure were not affected by this incident and, most importantly, that customer password vaults remained secure. This means that users' master passwords and the sensitive information stored in their vaults were not compromised. However, the breach still involves significant personal data, which could pose serious risks to users.

What Data Was Exposed

LastPass explained that the cyber attackers used the authentication credentials stolen from Klue to gain access to the company's Salesforce environment and exfiltrated specific customer data from there. The nature of the leaked data includes users' direct contact and identity information. This provides attackers with a valuable resource for future phishing and social engineering attacks. According to the company's announcement, the exposed data includes:

Has your email been leaked? Check for free — results in seconds.

Check Now →
  • Customer names: Users' full names allow attackers to craft more personalized and convincing phishing emails.
  • Phone numbers: Can be used for voice phishing (vishing) or SMS-based fraud (smishing) attacks.
  • Email addresses: The primary communication channel for attacks, ideal for sending fake LastPass notifications.
  • Physical addresses: Although rarer, can be used for more complex fraud scenarios or identity theft.
  • Support case information: This information, which includes users' past issues, can make it easier for attackers to gain trust by impersonating the LastPass support team.
  • Sales/CRM-related data: Information about companies' business relationships with LastPass can be used in targeted attacks against corporate customers.

LastPass reaffirmed that master passwords, which protect customer password vaults, and other data within the vaults were not affected by this breach. It was also noted that there is no evidence of access to data related to Gong systems, which typically include customer calls and emails. Nevertheless, it's always a good idea to use a Data Breach Search tool to check if your email has been involved in other breaches.

How the Attack Happened

This incident is a classic example of a sophisticated supply chain attack. The extortion group "Icarus," which claimed responsibility for the attack, did not target LastPass directly but rather its partner, Klue. The attack chain unfolded in the following steps:

  1. Breach of Klue's Infrastructure: The attackers infiltrated Klue's infrastructure using old and insecure legacy credentials for an integration service. This initial step gave them a foothold within the system.
  2. Theft of OAuth Tokens: Once inside the systems, the attackers targeted the OAuth tokens that Klue used to connect to third-party services (such as Salesforce and Gong) on behalf of its customers. OAuth is an authorization standard that allows one application to perform specific actions on behalf of another. These tokens are like digital keys that provide inter-system access without passwords.
  3. Access to LastPass's Salesforce Environment: The Icarus group used the stolen OAuth token belonging to LastPass to access the company's Salesforce environment, where it manages customer data, as if it were an authorized application. Through this access, they exfiltrated the customer data listed above.

The Icarus group, which claimed the attack, targeted not only LastPass but also many of Klue's other customers using this method. The group claims to have launched an extortion campaign using the data it obtained. Such attacks once again show that companies must consider not only their own security but also the security posture of all their business partners. The latest Data Breach News reveals that supply chain attacks are an ever-growing threat.

Who Is Affected

Those directly affected by the breach are the customers whose personal and business information listed above was stored in LastPass's Salesforce system. However, the scope of this incident is not limited to LastPass. Since the source of the attack was the Klue platform, many other well-known companies that use this platform are also at risk. According to the claims of the Icarus group and reports from the cybersecurity community, some of the other organizations affected by the Klue breach include:

  • Recorded Future
  • Tanium
  • Jamf
  • Sprout Social
  • Gong
  • Insurity

This demonstrates the wide-ranging impact of the security vulnerability at Klue. Each listed company has had to conduct its own investigation to determine whether data in its Salesforce or other integrated systems was at risk. This incident is a concrete example of how a single vulnerability in a service provider can create a domino effect, affecting dozens of its customers.

What You Can Do

Although LastPass users' password vaults are secure, they need to be cautious due to the leaked personal data. Attackers can use this information to deceive you. Here are the precautions you should take:

  • Be Wary of Phishing Attacks: Attackers who know your name, email address, and phone number can send highly convincing fake emails or SMS messages that appear to come from LastPass. These messages may use a sense of urgency, with phrases like "suspicious activity detected on your account" or "you need to reset your password." Never click on links or download attachments in such messages.
  • Never Share Your Master Password: LastPass or any other company will never ask for your master password via email, phone, or any other method. Your master password is the sole key to your vault and belongs only to you.
  • Use Official Communication Channels: If you need to contact LastPass, use only the support channels provided through its official website or application.
  • Beware of Suspicious Domains: LastPass has warned that attackers may use domains such as baccarat.com[.]au, robinskitchen.com[.]au, and house[.]com.au for fraudulent communications. Do not trust emails from these and similar suspicious senders.

What the Company Says

LastPass announced that it has taken a series of measures since learning of the incident. According to the company's official statement, the steps taken are as follows:

"On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems. We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass."

Following this statement, LastPass stated it took the following actions:

  • Immediately disabled employee access to the Klue platform.
  • Promptly revoked and rotated the exposed API/OAuth tokens.
  • Reported the incident to the relevant law enforcement agencies.
  • Is conducting an ongoing investigation with cybersecurity experts to uncover all aspects of the incident.

LastPass emphasized that it will continue to inform its users in line with its transparency principle and is working to enhance its security measures.

Source

https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/

Share This Article
X LinkedIn WhatsApp
← Previous Post Canadian Electricity Provider London Hydro Discloses Data Breach Next Post → Xsolis Data Breach Impacts 1.4 Million People

Weekly Newsletter

Curated data breach news delivered to your inbox every week.