LastPass leaked customer data again, this time through a vendor's hijacked OAuth tokens
LastPass told customers their names, emails, phone numbers, and support records leaked through a breach at vendor Klue. Vaults stayed locked.
LastPass is telling customers their personal data leaked again. This time the password manager didn’t get breached directly. A sales vendor did, and the spill flowed downhill from there to anyone whose details sat in the LastPass CRM.
The notice, first reported by 9to5Mac on June 23, traces back to Klue, a market-intelligence platform LastPass sales teams use. Attackers broke into Klue, lifted the OAuth tokens it held for its customers, and used LastPass’s token to reach into the LastPass Salesforce environment. Names, emails, and support tickets walked out the door. Master passwords and vaults did not. For a company whose entire pitch is “we hold your secrets,” even a CRM-only leak lands harder than it would anywhere else, because the brand is the trust.
What we know
The confirmed facts are narrow and consistent across the reporting. This matters because the headline word “breach” does a lot of work, and most people who see it will assume their vaults are at risk. They aren’t. Here’s what actually happened:
- LastPass learned of the Klue incident on June 12, 2026, then went public on June 23, per BleepingComputer.
- The exposed data was customer-relationship records: names, phone numbers, email addresses, physical addresses, support-case notes, and sales data. LastPass says vaults and master passwords were untouched.
- The attack chain ran vendor-first. Intruders used a compromised legacy credential to get into Klue, generated OAuth tokens, and rode those into connected Salesforce instances.
- An extortion group calling itself Icarus claimed the campaign on a Tor leak site, according to SecurityWeek.
- LastPass was not alone. Around 15 organizations confirmed impact, including BeyondTrust, Snyk, HackerOne, Huntress, Tanium, Jamf, and Recorded Future.
- LastPass killed employee access to Klue, rotated the exposed tokens, notified law enforcement, and flagged fraudulent sender domains being used in follow-on scams.
On the scope, the company was direct. “The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data,” LastPass said in its statement to SecurityWeek. The company also told customers to “remain vigilant of potential phishing attacks or social engineering attempts.”
What we don’t know
How many LastPass customers are in the leaked set is still unclear. The notice describes the categories of data, not the count of affected accounts. Huntress, one of the other victims, expects more Klue customers to surface, so the public victim list is probably not final.
Whether Icarus has actually published the LastPass slice of the data, versus only threatening to, has not been confirmed. The group runs an extortion model, so the threat to publish the stolen records is the pressure point. There’s also no public detail on which support-case contents were exposed. Support tickets can hold a lot more context than a CRM row, and that gap matters for anyone judging their own risk.
How this compares to 2022
This is where the history bites. In 2022, LastPass suffered a far worse breach: an attacker compromised a developer’s machine, stole source code, and eventually made off with encrypted customer vaults plus unencrypted account metadata. That saga dragged on for months, and security researchers later tied a string of large crypto thefts to vaults cracked offline. The 2026 Klue incident is smaller in blast radius. No vaults, no master passwords, no source code.
But the pattern rhymes. Both breaches reached LastPass through a softer edge rather than the core product: a developer endpoint in 2022, a sales vendor in 2026. The Klue campaign also fits a wider 2026 trend of attackers pivoting through SaaS integrations and stolen tokens, the same playbook behind the ShinyHunters Salesforce-style data thefts and the token-and-credential abuse running through the npm ecosystem. The vendor graph is the new attack surface.
What this means for you
If you use LastPass, your vault is fine. That part is real, and it is the part that matters most. The exposed data is contact and support information, which is annoying to leak but not catastrophic on its own. The actual danger is what comes next: phishing. Attackers now hold a list of confirmed LastPass users with real names, emails, and support history, which is exactly the raw material for a convincing “security alert” email that asks you to log in or verify your master password. So treat any LastPass-branded message with suspicion for the next few months. Never enter your master password anywhere except the app or the verified extension. Turn on hardware-key or app-based two-factor if you have not. And if you have lingered on LastPass since 2022 out of inertia, this is a fair moment to ask whether a fresh start elsewhere is worth the afternoon it takes.
Share this article
Sources
- LastPass notifies users of yet another data breach — 9to5Mac
- LastPass confirms data breach in Klue supply chain attack — BleepingComputer
- BeyondTrust, LastPass Impacted by Klue-Salesforce Incident — SecurityWeek