Key Takeaways
- Hackers stole LastPass customer names, addresses, phone numbers, and support case data through a breach at vendor Klue
- Password vaults remain unaffected, but support ticket contents may include sensitive account recovery details
- This marks LastPass's second major security incident following the 2022 vault theft that led to crypto thefts
LastPass is notifying customers that hackers stole their personal information and support case records during a breach at Klue, a market research firm the password manager uses as a vendor. The stolen data includes names, phone numbers, email addresses, physical addresses, and customer support tickets. Password vaults were not accessed.
The breach at Klue, disclosed June 12, has now hit multiple cybersecurity companies. HackerOne, Recorded Future, and Tanium have all reported data thefts from the same incident. A hacking group called Icarus has claimed responsibility and threatened to release stolen data unless Klue pays a ransom.
What data did hackers actually get?
LastPass confirmed the exposed data in a blog post: customer names, phone numbers, email addresses, physical addresses, customer support case data, and sales-related records. The company stressed that its own infrastructure was not compromised and that encrypted password vaults remain secure.
But support tickets are often more revealing than they sound. Customers contact support when they're locked out of accounts or facing billing issues. Past breaches involving support tickets have exposed credentials and government-issued identity documents. LastPass has not disclosed what specific information those tickets contained or how many customers are affected.
The company has over 33 million users and approximately 1.6 million paying customers as of 2024. LastPass did not respond to TechCrunch's questions about the scope of the incident.
Why this matters more for LastPass than other Klue victims
For most companies, a third-party vendor breach is a headache. For LastPass, it's another chapter in a trust crisis that began in 2022.
That year, hackers stole LastPass's entire repository of customer password vaults. Though encrypted with master passwords, the offline vaults could be cracked through brute force. Customers with weak master passwords were exposed. Security researchers later linked several cryptocurrency thefts to attackers who had cracked LastPass vaults and extracted wallet keys.
The 2022 breach triggered lawsuits, customer defections, and lasting reputational damage. This new incident, while less severe technically, arrives in that context. Customers who stayed with LastPass after 2022 may reconsider whether the company's vendor relationships meet their security expectations.
The Klue breach is a supply chain problem
Klue CEO Jason Smith confirmed that hackers were discovered in the company's systems on June 12. The Icarus group is demanding ransom. Smith has not said how many companies or customers are affected, or whether Klue has communicated with the attackers.
This pattern is becoming familiar. Attackers target vendors that serve dozens of security-conscious companies. One breach yields access to data from HackerOne, Recorded Future, Tanium, and LastPass all at once. The economics favor the attacker: breach one vendor, ransom multiple victims.
Okta, Twilio, and CircleCI have faced similar supply chain attacks in recent years. For CTOs evaluating vendor risk, the lesson is clear. Your security posture includes every third party that touches your customer data.
What should affected users do?
LastPass users should assume their contact details are compromised. Watch for targeted phishing attempts that reference your account or past support interactions. Attackers who know you use LastPass and have your phone number can craft convincing SMS or email lures.
If you filed a support ticket containing account recovery details or identity documents, treat those as potentially exposed. Enable two-factor authentication everywhere, and consider whether your current password manager meets your risk tolerance.
Logicity's Take
This breach won't trigger the same panic as 2022, but it compounds LastPass's trust deficit. For organizations, the real question is vendor oversight. Klue is a competitive intelligence platform used by sales and marketing teams. It's not a security vendor. Yet it held enough customer data from security companies to become a high-value target. CTOs should audit which vendors hold PII and what contractual obligations exist around breach notification. Competitors like 1Password and Bitwarden haven't faced comparable incidents, though 1Password's enterprise tier ($7.99/user/month) and Bitwarden's self-hosted option appeal to different risk profiles.
Frequently Asked Questions
Were LastPass password vaults stolen in the Klue breach?
No. LastPass confirmed that its infrastructure, including encrypted password vaults, was not accessed. Only data held by Klue was stolen.
What information did hackers steal from LastPass customers?
Names, phone numbers, email addresses, physical addresses, customer support case data, and sales-related information.
How many LastPass users are affected?
LastPass has not disclosed this. The company has 33 million total users and 1.6 million paying customers, but the subset affected by the Klue breach is unknown.
Who is responsible for the Klue breach?
A hacking group called Icarus has claimed credit and is threatening to release stolen data unless a ransom is paid.
Is this related to the 2022 LastPass breach?
No. The 2022 breach compromised LastPass's own systems and stole encrypted password vaults. This incident involved a third-party vendor and exposed different types of data.
Need Help Implementing This?
If your organization needs guidance on vendor risk assessment, password management policies, or incident response planning, contact the Logicity team for expert recommendations tailored to your security stack.
Source: TechCrunch / Zack Whittaker
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
