LastPass says hackers stole some personal customer details and support case records through a breach involving one of its service providers. This could give criminals useful information to send convincing fake emails, texts, or calls that appear to be related to your account.
The password manager maker confirmed the incident on June 22, 2026, tracing it to Klue — a third-party market-intelligence platform used by LastPass go-to-market teams — not LastPass’s own infrastructure.
Read LastPass’s official notice:
https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response
What Happened
On June 12, 2026, LastPass learned that attackers compromised Klue (klue.com) and stole OAuth tokens Klue held on behalf of multiple customers. The Icarus extortion group claimed the Klue breach and used those tokens to access LastPass customer data inside Salesforce — LastPass’s CRM and support system.
LastPass states:
- Customer password vaults were not accessed — encrypted vault data stored in LastPass products was not part of this incident.
- LastPass infrastructure was not compromised.
- No evidence that Gong call-recording data was accessed.
The distinction matters for vault security, but does not eliminate phishing risk from stolen contact and support-ticket context.
Illustrated supply chain path
OAuth tokens stolen at vendor Klue

Attackers compromised Klue and stole OAuth tokens the vendor held for multiple customers — not LastPass’s vault infrastructure.
CRM access via stolen integration token

The Icarus group used those tokens to access LastPass customer data inside Salesforce — names, addresses, phones, and support case history.
Spear-phishing enabled by support context

Attackers do not need your master password if they know your name, address, and that you recently opened a support ticket. Expect spear-phishing referencing real ticket subjects or dates.
Data Exposed
According to LastPass notifications and reporting by TechCrunch and BleepingComputer, exposed records may include:
- Customer names
- Phone numbers
- Email addresses
- Physical addresses
- Support case information (ticket contents and history)
- Sales / CRM-related data
Support tickets often contain billing disputes, account-recovery context, and sometimes credentials or identity documents customers paste into chats — even when vault passwords themselves were never stored there.
Why This Breach Is Dangerous Anyway
Attackers do not need your master password to cause harm if they know your name, address, phone number, and that you recently opened a support case about billing or account access.
Expect:
- Spear-phishing referencing real support ticket subjects or dates
- Smishing and vishing that cite your LastPass account or “urgent vault backup”
- Display-name spoofing — fake “LastPass Security” senders with unrelated reply-to addresses (a tactic LastPass warned about in January and March 2026 phishing campaigns on its blog)
LastPass will never ask for your master password by email or phone. Any message that does is fraudulent — even if it uses your real name and address.
Connection to the 2022 LastPass Breach
LastPass suffered a major 2022 breach in which attackers stole encrypted password vault backups. Researchers later linked weak master passwords and recovered vault data to cryptocurrency thefts.
This June 2026 Klue incident is separate — CRM and support metadata, not vault ciphertext. Customers should still treat LastPass as a high-value phishing target and ensure strong, unique master passwords plus MFA on the LastPass account itself.
Other Companies Affected
The Klue OAuth attack hit more than a dozen organizations integrating Klue with Salesforce, including BeyondTrust, HackerOne, Jamf, Recorded Future, Snyk, and Tanium, according to SecurityWeek. Salesforce and Gong disabled the Klue integration platform-wide after the incident.
What LastPass Customers Should Do Now
- Be skeptical of unsolicited email, SMS, or calls mentioning LastPass — verify via the official app or lastpass.com typed manually.
- Never share your master password or one-time recovery codes with anyone claiming to be support.
- Forward suspicious LastPass-branded mail to abuse@lastpass.com for verification.
- Enable MFA on your LastPass account if not already active.
- Rotate passwords for any accounts you discussed in LastPass support tickets if sensitive details may have been included.
- Review vault sharing and remove stale emergency-access contacts.
Why Texas Businesses Should Care
Law firms, CPAs, and financial advisors increasingly standardize on enterprise password managers. A support-case leak that reveals which vendor handles your wire transfers or which client portal you cannot access gives attackers material for BEC and client impersonation — the same patterns in our April 2026 incident roundup and Texas OAG breach tracker.
Third-party OAuth integrations (Klue → Salesforce) are the new perimeter. Vendor risk reviews must cover token scope, revocation procedures, and CRM data classification — not only the primary SaaS app’s security page.
Independent Cybersecurity Audit
We audited domains central to this incident on June 24, 2026:
| Organization (Domain) | Overall | Risk Level |
|---|---|---|
| Klue (klue.com) | 78% | Good |
| LastPass (lastpass.com) | 71% | Good |
| Salesforce (salesforce.com) | 62% | High Risk |
| GoTo / LogMeIn parent (goto.com) | 58% | High Risk |
| LogMeIn legacy (logmein.com) | 58% | High Risk |
Strong scores on lastpass.com and klue.com reflect public email-authentication posture — they do not mean OAuth tokens stored at a vendor could not be abused, as this breach demonstrates.
Audit links:
Related trackers
- FBI Kali365 M365 OAuth alert
- April 2026 cyber incidents
- Law firm breach tracker
- Financial services tracker
- Monitoring guide
- All trackers
Benchmark your organization’s email security.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for vendor OAuth reviews and phishing tabletop exercises.
Sources: LastPass — Klue supply chain incident · TechCrunch · EmailMeNow audits — lastpass.com · klue.com