LastPass reports that customer data was compromised due to a supply chain breach involving Klue.

      LastPass has informed its customers that their personal information and customer support case data have been compromised due to a breach of vendor Klue, which possessed OAuth tokens that allowed access to LastPass’s Salesforce system. However, LastPass confirmed that its own infrastructure and customers' encrypted password vaults were not affected. The stolen information includes names, email addresses, phone numbers, physical addresses, and details of customer support interactions.

      On June 12, Klue announced the breach, with CEO Jason Smith verifying that attackers accessed OAuth tokens belonging to the company and its clients. These tokens enabled authenticated entry to Salesforce environments where firms like LastPass keep customer relations and support data. Using the stolen tokens, the hackers extracted records from various organizations simultaneously.

      The hacking and extortion group Icarus has claimed responsibility for the incident, threatening to release the stolen data unless the affected companies paid a ransom. While LastPass hasn't revealed the number of impacted customers, it mentioned that it is reaching out to those whose data was compromised. According to their latest figures, the company has around 33 million users, with more than a million being paying customers.

      LastPass is not alone in this incident; supply chain attacks have emerged as a significant cybersecurity threat in 2026. The breach of Klue mirrors this trend, as the attackers did not directly target LastPass but instead compromised a trusted third-party vendor that maintained access credentials. Other companies affected by the Klue breach include HackerOne, Recorded Future, Tanium, Gong, Jamf, Snyk, OneTrust, Sprout Social, and Huntress.

      This breach is particularly damaging for LastPass, which faced a significant incident in 2022 when hackers directly compromised the company, accessing customer password vaults. Security researchers later confirmed that some vaults with weak master passwords had been cracked offline, leading to cryptocurrency thefts totaling over 150 million dollars. This previous breach diminished customer trust and led many to switch to competitors.

      This time, LastPass stressed that its own systems remain secure and that encrypted password vaults were untouched. Although this distinction may provide some assurance, it may not fully comfort customers whose personal information and support case details are now potentially in the possession of an extortion group. Such support cases can include sensitive information regarding account issues, security matters, and billing details shared under the expectation of privacy.

      The incident exposes a fundamental vulnerability in how companies manage access by third-party vendors. While OAuth tokens are meant to provide limited and revocable access to specific resources without requiring passwords, having a vendor like Klue holding tokens for many enterprise clients means that breaching that single vendor provides access to all client data at once. The threat is not just from the security posture of the target company, but also from the security practices of all its vendors.

      Klue's function as a competitive intelligence platform necessitates regular ingestion of data from clients' sales and marketing systems for market analysis and competitor tracking. This business model requires extensive integration with CRM platforms like Salesforce, making the stolen OAuth tokens particularly valuable to attackers.

      The password manager sector has encountered multiple security incidents in 2026; for instance, Dashlane reported in June that its two-factor authentication system was brute-forced, resulting in the download of encrypted vaults from fewer than 20 accounts. This trend indicates that companies responsible for safeguarding users’ sensitive credentials remain significant targets, whether through direct breaches or via third-party vendors.

      In response, LastPass has revoked the compromised OAuth tokens, is collaborating with Klue on resolving the issue, and has hired third-party forensic investigators. The company has also advised affected customers to be vigilant for phishing attempts that may use the stolen personal information to send deceptive messages. Customers who interacted with LastPass support and shared sensitive information during those communications should assume that their data may be vulnerable.

      The ransom demands from the Icarus group introduce an extortion aspect to what would typically be seen as straightforward data theft. Should the group carry out its threat to release the data, customers across all companies impacted by the Klue breach could be at risk for identity theft, targeted phishing, and social engineering attacks based on the specific information found in their support records and sales interactions.