LastPass confirms breach via Klue supply chain attack

Key Takeaways

• Attackers accessed LastPass customer data through stolen OAuth tokens from third-party vendor Klue
• Exposed data includes names, emails, phone numbers, and support case details, but password vaults remain secure
• The Icarus extortion group claimed responsibility, having compromised multiple organizations through Klue's infrastructure

LastPass confirmed on June 23, 2026 that hackers accessed customer data from its Salesforce environment after stealing OAuth tokens in a supply chain attack on Klue, a third-party market intelligence platform. Customer password vaults were not affected. The breach exposed names, phone numbers, email addresses, physical addresses, and CRM-related data.

The incident traces back to June 12, when LastPass learned that Klue's infrastructure had been compromised. An attacker obtained OAuth tokens that Klue held for its customers, then used those credentials to access LastPass's Salesforce environment. The company says its core products, services, and infrastructure remained untouched.

What data did attackers access?

According to LastPass, the breach exposed customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM-related data. The company found no evidence that attackers accessed Gong-related data, which typically includes customer calls and emails.

The exposed information creates a textbook phishing toolkit. Attackers could craft convincing social engineering attempts using real names, addresses, and support case details. LastPass warned users to treat unsolicited communications with suspicion, especially those requesting sensitive information. The company stressed that master passwords should never be shared with anyone.

How did the Klue breach happen?

The Icarus extortion group claimed responsibility for the attack. Hackers gained access to Klue's infrastructure using compromised legacy credentials for an integration service. Once inside, they reached OAuth tokens connecting Klue to various third-party services.

Klue is an AI-powered competitive intelligence platform used by sales and marketing teams. Its integrations with Salesforce and Gong made it a valuable target. The attackers exfiltrated CRM data from multiple organizations and launched an extortion campaign.

LastPass was not alone. The incident hit Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. All are enterprise software companies whose sales teams likely used Klue to track competitors.

What has LastPass done in response?

LastPass disabled employee access to Klue immediately and rotated all exposed API and OAuth tokens. The company notified law enforcement and continues to investigate.

In its disclosure, LastPass flagged three sender domains the attackers are using: baccarat.com.au, robinskitchen.com.au, and house.com.au. Any communication from these domains should be ignored. The company urged customers to trust only official support channels.

Why supply chain attacks keep working

This breach follows a pattern. Attackers target smaller vendors with deep integrations into larger companies. OAuth tokens and API credentials become the prize, not the vendor's own data. Once attackers hold those tokens, they can access customer environments without touching the primary target's defenses.

Klue's legacy credentials were the entry point. Many organizations accumulate integration credentials over years, and cleaning them up rarely makes the priority list. That technical debt becomes a liability when attackers start probing vendor infrastructure.

For LastPass, this is the second major security incident in recent years. The company suffered a significant breach in 2022 that affected millions of users. While the current incident is smaller in scope, affecting marketing and sales data rather than vaults, it adds to a pattern that security-conscious customers will notice.

What LastPass users should do now

• Watch for phishing attempts using your real name, address, or past support interactions
• Ignore emails from baccarat.com.au, robinskitchen.com.au, or house.com.au
• Verify any password-related requests through LastPass's official website, not email links
• Never share your master password, even with someone claiming to be LastPass support

Your vault remains encrypted. The attackers got CRM data, not passwords. But the social engineering risk is real. Someone who knows your name, phone number, address, and that you contacted support in March has a strong opening for a convincing scam.

Frequently Asked Questions

Were LastPass password vaults compromised in this breach?

No. LastPass confirmed that customer vaults remained secure. The breach affected Salesforce CRM data, including names, emails, phone numbers, and support case information.

Who is responsible for the Klue supply chain attack?

The Icarus extortion group claimed responsibility. They used compromised legacy credentials to access Klue's infrastructure and steal OAuth tokens for multiple customers.

Which companies were affected by the Klue breach?

LastPass, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity were all impacted. All had Salesforce integrations through Klue.

What should LastPass users do to protect themselves?

Be cautious of phishing attempts using personal details. Ignore emails from baccarat.com.au, robinskitchen.com.au, or house.com.au. Never share your master password with anyone.

How did attackers get into Klue's systems?

They used compromised legacy credentials for an integration service. This gave them access to OAuth tokens connecting Klue to customers' Salesforce environments.

Source: BleepingComputer