LastPass Customer Data Exposed via Klue Supply Chain Attack – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

LastPass Leaks Data via Klue Supply Chain Attack

Popular password manager LastPass has disclosed that customer data was exposed following a supply chain attack on a third-party platform, Klue. Attackers gained access to contact and sales records stored in the company's Salesforce environment.

A broken chain link with the LastPass logo in the background, symbolizing a cybersecurity breach.

What Happened

LastPass, one of the most recognized names in password management, is once again in the spotlight for a major cybersecurity incident. In a statement on June 24, 2026, the company confirmed that customer data was leaked due to a cyberattack targeting its partner, the Klue platform. The attack was carried out using the supply chain attack method, considered one of the most dangerous cyber threats in recent years. Although the incident was not a direct assault on LastPass's own systems, it put its customers at risk by originating from a vulnerability in a trusted partner. The company stated it became aware of the situation on June 12 and immediately launched an investigation. This event once again demonstrates that no matter how robust a company's own security is, the weakest link in its ecosystem can threaten the entire structure. To follow the latest developments on this topic, you can visit the Data Breach News page.

What Data Was Stolen

LastPass clearly answered the most pressing question for users after the breach: customer password vaults were not affected by this attack. According to the company's statement, the attackers did not breach LastPass's products, services, or core infrastructure. This means that the passwords, notes, and other sensitive information stored by users remain secure. However, this does not mean the breach is insignificant.

The data accessed by the attackers consists of records stored in LastPass's Salesforce environment. This data includes:

  • Business Contact Information: Customer names, phone numbers, email addresses, and physical mailing addresses.
  • CRM Records: Support case information and sales-related records kept in the Customer Relationship Management (CRM) system.

While this type of data may not lead to direct financial loss, it can be indirectly very dangerous. Attackers can use this information to conduct targeted phishing and social engineering attacks. For example, they could send fake emails pretending to be from LastPass to trick customers into revealing their master passwords or other personal information. You can use our Data Breach Search tool to find out if your personal information has been exposed in this or any other breach.

How the Attack Happened

At the center of the attack is Klue, a market intelligence platform used by LastPass's marketing and sales teams. Klue integrates with CRM and sales tools like Salesforce and Gong to provide companies with competitive analysis services. This integration is enabled through an authorization protocol called OAuth. OAuth tokens are like digital keys that allow one application (Klue) to access data in another application (Salesforce) within a specific set of permissions, without knowing the user's password.

The attackers breached Klue's systems and stole these OAuth tokens. Among the stolen tokens were those belonging to LastPass. Using these tokens, the attackers gained access to customer data in LastPass's Salesforce environment, within the scope of permissions granted to Klue. This method is a classic example of a supply chain attack: the attackers didn't target the main entity (LastPass) directly, but rather its potentially less secure partner (Klue) to indirectly reach their goal.

Cybersecurity firm Huntress described this incident as a "security domino effect." The process, which began with the theft of an integration credential, triggered a chain reaction leading to data theft from multiple connected platforms.

Who Was Affected

The impact of this supply chain attack is not limited to LastPass. Many companies in Klue's customer portfolio were affected by this breach. In addition to LastPass, some leading firms in the cybersecurity industry have also confirmed they were impacted by the Klue breach. These companies include Huntress, Recorded Future, Tanium, and Jamf. Each of these firms has published separate statements detailing how they were affected.

An extortion group known as "Icarus," active since late April 2026, has claimed responsibility for the attack. The group announced the attack on its data leak site. This raises concerns that the stolen data may be put up for sale for malicious purposes or used for further attacks in the coming days.

What You Can Do

Although LastPass users' password vaults are secure, they need to be cautious due to the leaked contact information. Here are the steps you can take:

  • Be Vigilant Against Phishing Attacks: Be skeptical of emails, SMS messages, or phone calls claiming to be from LastPass or any other service provider. Be especially wary of messages that ask you to urgently click a link, download a file, or verify your personal information.
  • Never Share Your Master Password: LastPass will never, under any circumstances, ask for your master password via email or any other means. Any request for this information is a fraudulent attempt.
  • Verify Contact Information: If you receive a suspicious email, carefully check the sender's address. Do not take any action without confirming it comes from official LastPass communication channels.
  • Use Multi-Factor Authentication (MFA): Enable MFA on your LastPass account and all other online accounts. This is an additional layer of security that prevents unauthorized access to your account even if your password is stolen.

What the Company Is Saying

LastPass announced that it took a series of immediate measures after discovering the incident. According to the company's official statement, the steps taken are:

  • Investigation Launched: An internal investigation was immediately launched with Klue and Salesforce to understand the scope and impact of the incident.
  • Access Revoked: All employee access to the Klue platform was immediately revoked.
  • API Tokens Rotated: All API tokens (OAuth tokens) believed to have been compromised in the breach were invalidated and rotated.
  • Law Enforcement Notified: The situation was reported to the relevant legal authorities and law enforcement agencies.
  • Indicators of Compromise (IoCs) Shared: Technical indicators such as IP addresses and email sender domains used in the attack were shared with the public to help the security community prevent similar attacks.

This incident comes after LastPass's major 2022 breach, in which attackers stole customer password vault backups. Three years after that breach, researchers at TRM Labs uncovered cryptocurrency thefts linked to credentials recovered from the stolen vaults. This new breach once again calls the company's security reputation into question.

Source

https://www.helpnetsecurity.com/2026/06/24/lastpass-klue-data-breach-salesforce-environment/

This content was generated with AI assistance through our Argus Flow application. We are continuously working to improve Argus Flow; if you encounter any issues such as translation errors, incorrect sources, or unverified information, you can report them using the button below. We appreciate your feedback.

Share This Article
X LinkedIn WhatsApp
← Previous Post Health Tech Company Xolis Suffers Data Breach

Weekly Newsletter

Curated data breach news delivered to your inbox every week.