LastPass says hackers stole customer data through a supply chain breach at Klue

LastPass is notifying customers that their personal information and customer support case data were stolen after hackers breached Klue, a competitive intelligence vendor that held OAuth tokens granting access to LastPass’s Salesforce environment. The breach did not compromise LastPass’s own infrastructure or its customers’ encrypted password vaults. The stolen data includes names, phone numbers, email addresses, physical addresses, and the contents of customer support interactions.

Klue disclosed the breach on June 12, when CEO Jason Smith confirmed that attackers had gained access to OAuth tokens the company held on behalf of its customers. Those tokens provided authenticated access to Salesforce environments where companies like LastPass store customer relationship and support data. The hackers used the stolen tokens to extract records from multiple organisations simultaneously.

A hacking and extortion group called Icarus claimed responsibility for the attack, threatening to release the stolen data unless affected companies paid a ransom. LastPass has not disclosed how many customers were affected but said it is notifying those whose information was compromised. The company has approximately 33 million users and more than one million paying customers as of its most recent public figures.

LastPass is not the only company hit. Supply chain attacks have become one of the defining cybersecurity threats of 2026, and the Klue breach followed the same pattern: rather than attacking the target directly, hackers compromised a trusted third-party vendor that held access credentials. Other companies affected by the Klue breach include HackerOne, Recorded Future, Tanium, Gong, Jamf, Snyk, OneTrust, Sprout Social, and Huntress.

The incident is particularly damaging for LastPass because of the company’s history. In 2022, hackers breached LastPass directly and stole the entire store of customer password vaults, and security researchers later confirmed that some vaults with weak master passwords were cracked offline, with stolen credentials linked to cryptocurrency thefts exceeding 150 million dollars. That breach eroded trust in the company and prompted a wave of customers to switch to competitors.

This time, LastPass emphasised that its own systems were not compromised and that encrypted password vaults were not accessed. The distinction is important but may offer limited comfort to customers whose personal details and support case contents are now in the hands of an extortion group. Support cases can contain sensitive context about account issues, security concerns, and billing details that users shared expecting confidentiality.

The breach highlights a structural vulnerability in how companies manage third-party vendor access. OAuth tokens are designed to grant limited, revocable access to specific resources without sharing passwords, but when a vendor like Klue holds tokens for dozens of enterprise customers, compromising that single vendor yields access to all of them at once. The attack surface is not the target company’s security posture but the security posture of every vendor in its supply chain.

Klue’s role as a competitive intelligence platform means it routinely ingests data from customers’ sales and marketing systems to provide market analysis and competitor tracking. That business model requires deep integrations with CRM platforms like Salesforce, which is precisely what made the stolen OAuth tokens so valuable to attackers.

The password manager industry has faced repeated security incidents in 2026, with Dashlane disclosing in June that attackers brute-forced its two-factor authentication system and downloaded encrypted vaults from fewer than 20 accounts. The pattern suggests that companies responsible for storing users’ most sensitive credentials remain high-value targets, whether through direct attacks or through the vendors they rely on.

LastPass said it has revoked the compromised OAuth tokens, is working with Klue on remediation, and has engaged third-party forensic investigators. The company advised affected customers to be alert for phishing attempts that use the stolen personal information to craft convincing messages. Customers who contacted LastPass support and shared sensitive details in those interactions should treat that information as potentially exposed.

The Icarus group’s ransom demands add an extortion dimension to what would otherwise be a conventional data theft. If the group follows through on its threat to publish the data, affected customers across all companies hit by the Klue breach could face identity theft, targeted phishing, and social engineering attacks built on the specific details found in their support records and sales interactions.