A third-party vendor breach has once again pulled LastPass into a cybersecurity incident, exposing customer contact and support data in a supply chain attack that did not touch its password vaults but still raises fresh concerns about user safety.
LastPass said it was affected by a security incident originating at Klue, a market intelligence platform used by its go-to-market teams and integrated with Salesforce and Gong. The company said it first became aware of the issue on June 12, when Klue disclosed that attackers had accessed its systems using compromised credentials tied to legacy integrations.
According to LastPass, the attackers obtained OAuth tokens held by Klue for multiple customers and used them to access LastPass data stored in its Salesforce environment. The company described the incident as limited to systems connected through Klue, stressing that its core infrastructure was not compromised.
What data was accessed
The exposed information was drawn from LastPass’s customer relationship management systems rather than its password manager infrastructure.
According to LastPass, the data included standard business contact details such as customer names, phone numbers, email addresses, and physical addresses. It also included customer support case data and sales-related CRM records. The company said its password vaults, master passwords, and core product systems were not affected.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
LastPass response and containment
LastPass said it moved quickly once the issue was identified, launching an internal investigation and working alongside Klue and Salesforce to assess the scope of the breach.
The company said it took several immediate steps, including discontinuing employee access to Klue, rotating exposed API tokens, and notifying law enforcement. It also said its Threat Intelligence, Mitigation, and Escalation (TIME) team is now sharing threat information with the wider security community to help disrupt related activity and strengthen defenses.
Remediation has reportedly been completed, and the exposed OAuth tokens have been rotated.
Exposed support data still creates risk
Although LastPass says password vaults were not touched, the stolen support data could still be useful to attackers.
Security researchers note that customer support records often contain sensitive context about account issues and identity details, which can be used to create convincing phishing attempts. The incident also adds pressure on LastPass, which continues to face scrutiny following its major 2022 breach that exposed encrypted vault data from earlier infrastructure compromises.
Klue, the compromised vendor, has also taken steps to revoke affected credentials and disable impacted integrations as part of its own remediation efforts.
Also read: A new Apple SecureROM exploit can bypass boot protections on older iPhones and cannot be patched with a software update.