LastPass Confirms Customer Data Exposure in Klue Supply Chain Attack

News
Milan Stanojevic
Milan Stanojevic Shield
Windows Toubleshooting Expert
News
Reading time icon 2 min. read

Calendar icon Published on

lastpass breach
Image credit: LastPass

LastPass confirmed hackers accessed customer data in its Salesforce environment after stealing OAuth tokens during a breach of third-party vendor Klue.

The company said its password platform, infrastructure, and customer vaults were not affected. Stored passwords and encrypted vault data remain secure.

The breach originated from a supply chain attack on Klue, a market intelligence platform used by LastPass. After compromising Klue, attackers stole OAuth tokens used to connect customer systems. These tokens were used to access Salesforce data, including LastPass records.

What Data Was Exposed?

LastPass said the exposed information was limited to customer relationship management (CRM) data stored in Salesforce.

Potentially affected information includes:

  • Customer names
  • Phone numbers
  • Email addresses
  • Physical addresses
  • Support case information
  • Sales and CRM-related records

The company added that its investigation found no evidence that attackers accessed data connected to Gong, which can contain customer calls, emails, and related communications.

Attack Linked to Icarus Extortion Group

The attack is linked to the Icarus extortion group. Attackers reportedly accessed Klue using compromised legacy credentials, then harvested OAuth tokens to access customer systems and extract CRM data.

Multiple organizations were affected, highlighting risks from third-party SaaS integrations with persistent access.

LastPass Response

LastPass quickly responded to the incident by disabling access to Klue, rotating API and OAuth tokens, and launching an investigation in coordination with Klue and Salesforce.

The company also notified law enforcement and shared indicators of compromise with the security community. Remediation efforts have since been completed, and all affected credentials have been replaced.

Users Advised to Watch for Phishing Attempts

Exposed contact data may be used for phishing or social engineering.

LastPass advises users to avoid unsolicited requests for sensitive information and confirms it will never ask for a master password. Users should rely only on official support channels.

In other cybersecurity developments, researchers recently uncovered a WhatsApp malware campaign, while OpenAI’s Patch the Planet initiative aims to help secure open-source software.

Additionally, it was claimed by Senator Mark Warner that Mythos AI breached NSA systems, during testing, confirming once again the dangers of such an AI tool.

Via BleepingComputer

More about the topics: password manager, security

Milan Stanojevic

Milan Stanojevic Shield

Windows Toubleshooting Expert

Milan has been enthusiastic about technology ever since his childhood days, and this led him to take interest in all PC-related technologies. He's a PC enthusiast and he spends most of his time learning about computers and technology. Before joining WindowsReport, he worked as a front-end web developer. Now, he's one of the Troubleshooting experts in our worldwide team, specializing in Windows errors & software issues.

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages