Back to news
Cybersecurity Alert
June 24, 2026 by EmailMeNow IT Consulting

LastPass Customer Data Stolen in Klue Supply Chain Breach — Vaults Reported Secure

LastPass says hackers stole names, addresses, and support case records via OAuth tokens compromised at vendor Klue. Password vaults were not accessed, but stolen PII enables convincing phishing. Audits score lastpass.com at 71% and klue.com at 78%.

Source: LastPass / TechCrunch

LastPassData BreachSupply ChainOAuthPhishingCybersecurity
LastPass data breach notification following Klue supply chain attack

LastPass says hackers stole some personal customer details and support case records through a breach involving one of its service providers. This could give criminals useful information to send convincing fake emails, texts, or calls that appear to be related to your account.

The password manager maker confirmed the incident on June 22, 2026, tracing it to Klue — a third-party market-intelligence platform used by LastPass go-to-market teams — not LastPass’s own infrastructure.

Read LastPass’s official notice:
https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response

What Happened

On June 12, 2026, LastPass learned that attackers compromised Klue (klue.com) and stole OAuth tokens Klue held on behalf of multiple customers. The Icarus extortion group claimed the Klue breach and used those tokens to access LastPass customer data inside Salesforce — LastPass’s CRM and support system.

LastPass states:

  • Customer password vaults were not accessed — encrypted vault data stored in LastPass products was not part of this incident.
  • LastPass infrastructure was not compromised.
  • No evidence that Gong call-recording data was accessed.

The distinction matters for vault security, but does not eliminate phishing risk from stolen contact and support-ticket context.

Illustrated supply chain path

OAuth tokens stolen at vendor Klue

Illustration: third-party vendor OAuth tokens compromised in supply chain attack

Attackers compromised Klue and stole OAuth tokens the vendor held for multiple customers — not LastPass’s vault infrastructure.

CRM access via stolen integration token

Illustration: attacker viewing customer support records in Salesforce CRM

The Icarus group used those tokens to access LastPass customer data inside Salesforce — names, addresses, phones, and support case history.

Spear-phishing enabled by support context

Illustration: victim receiving convincing fake password manager security text

Attackers do not need your master password if they know your name, address, and that you recently opened a support ticket. Expect spear-phishing referencing real ticket subjects or dates.

Data Exposed

According to LastPass notifications and reporting by TechCrunch and BleepingComputer, exposed records may include:

  • Customer names
  • Phone numbers
  • Email addresses
  • Physical addresses
  • Support case information (ticket contents and history)
  • Sales / CRM-related data

Support tickets often contain billing disputes, account-recovery context, and sometimes credentials or identity documents customers paste into chats — even when vault passwords themselves were never stored there.

Why This Breach Is Dangerous Anyway

Attackers do not need your master password to cause harm if they know your name, address, phone number, and that you recently opened a support case about billing or account access.

Expect:

  • Spear-phishing referencing real support ticket subjects or dates
  • Smishing and vishing that cite your LastPass account or “urgent vault backup”
  • Display-name spoofing — fake “LastPass Security” senders with unrelated reply-to addresses (a tactic LastPass warned about in January and March 2026 phishing campaigns on its blog)

LastPass will never ask for your master password by email or phone. Any message that does is fraudulent — even if it uses your real name and address.

Connection to the 2022 LastPass Breach

LastPass suffered a major 2022 breach in which attackers stole encrypted password vault backups. Researchers later linked weak master passwords and recovered vault data to cryptocurrency thefts.

This June 2026 Klue incident is separate — CRM and support metadata, not vault ciphertext. Customers should still treat LastPass as a high-value phishing target and ensure strong, unique master passwords plus MFA on the LastPass account itself.

Other Companies Affected

The Klue OAuth attack hit more than a dozen organizations integrating Klue with Salesforce, including BeyondTrust, HackerOne, Jamf, Recorded Future, Snyk, and Tanium, according to SecurityWeek. Salesforce and Gong disabled the Klue integration platform-wide after the incident.

What LastPass Customers Should Do Now

  1. Be skeptical of unsolicited email, SMS, or calls mentioning LastPass — verify via the official app or lastpass.com typed manually.
  2. Never share your master password or one-time recovery codes with anyone claiming to be support.
  3. Forward suspicious LastPass-branded mail to abuse@lastpass.com for verification.
  4. Enable MFA on your LastPass account if not already active.
  5. Rotate passwords for any accounts you discussed in LastPass support tickets if sensitive details may have been included.
  6. Review vault sharing and remove stale emergency-access contacts.

Why Texas Businesses Should Care

Law firms, CPAs, and financial advisors increasingly standardize on enterprise password managers. A support-case leak that reveals which vendor handles your wire transfers or which client portal you cannot access gives attackers material for BEC and client impersonation — the same patterns in our April 2026 incident roundup and Texas OAG breach tracker.

Third-party OAuth integrations (Klue → Salesforce) are the new perimeter. Vendor risk reviews must cover token scope, revocation procedures, and CRM data classification — not only the primary SaaS app’s security page.

Independent Cybersecurity Audit

We audited domains central to this incident on June 24, 2026:

Organization (Domain)OverallRisk Level
Klue (klue.com)78%Good
LastPass (lastpass.com)71%Good
Salesforce (salesforce.com)62%High Risk
GoTo / LogMeIn parent (goto.com)58%High Risk
LogMeIn legacy (logmein.com)58%High Risk

Strong scores on lastpass.com and klue.com reflect public email-authentication posture — they do not mean OAuth tokens stored at a vendor could not be abused, as this breach demonstrates.

Audit links:


Benchmark your organization’s email security.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for vendor OAuth reviews and phishing tabletop exercises.


Sources: LastPass — Klue supply chain incident · TechCrunch · EmailMeNow audits — lastpass.com · klue.com