The LastPass Klue data breach has exposed customers’ names, phone numbers, email addresses, physical addresses, and customer support case records, the password manager maker disclosed, after hackers exploited a supply-chain vulnerability at market intelligence firm Klue to reach deep into its go-to-market systems.
LastPass said the breach did not touch its own infrastructure. Customers’ password vaults remain intact. But the company confirmed that Klue, described in its disclosure as a third-party market intelligence platform used by its go-to-market teams, integrates directly with its Salesforce and Gong systems, and it was through those integrations that attackers obtained the data.
How Stolen OAuth Tokens Unlocked Salesforce and Gong
The attack began around 12 June, when threat actors gained initial access through a compromised legacy credential tied to a Klue integration service account. From there, they harvested OAuth tokens connecting Klue to third-party platforms, then used those tokens to move laterally into connected customer environments. SecurityWeek reports the attack spanned 11–12 June.
Salesforce subsequently disabled the Klue Battlecards integration and told affected organisations they cannot reconnect through it until further notice. The company stated that its security teams ‘recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce,’ adding that ‘this issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform.’ Revenue intelligence platform Gong also disabled its Klue integration after warning that hackers exploited it to access internal licensed user data.
According to Infosecurity Magazine, the attackers did not merely observe data in transit. They impersonated Klue within connected Salesforce environments to actively exfiltrate sensitive customer information, with Huntress, ReliaQuest, Recorded Future, Jamf, and Tanium all confirming their Salesforce accounts were accessed this way.
What the LastPass Klue Data Breach Actually Exposed
The contents of individual customer support tickets have not been disclosed publicly. That detail matters: support tickets routinely contain fragments of account information, billing records, and, in past incidents involving other companies, credentials and government-issued identity documents. LastPass serves more than 33 million users and around 1.6 million paying customers, though the company has not stated how many are affected here.
LastPass is one of at least nine organisations now known to have been caught in the Klue supply-chain attack. BleepingComputer lists cybersecurity firms HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, and Tanium among those affected, alongside Sprout Social and Insurity. Huntress has described itself as one of ‘hundreds of Klue customers’ hit by the breach. Klue itself claims to serve more than 250,000 companies worldwide, according to The Register, which gives a sense of the potential exposure surface.
Klue’s own investigation concluded that ‘the incident was limited to the affected third-party platforms, and there is no evidence that customer content stored within the Klue platform was impacted.’ CEO Jason Smith disclosed the breach publicly after his company identified the intrusion on 12 June. Smith has not answered questions about how many customers are affected or whether Klue has engaged with the attackers.
The extortion group claiming responsibility, Icarus, has threatened to publish the stolen data unless a ransom is paid. Huntress independently linked Icarus to the Klue operation by tracing Session Messenger IDs used in extortion emails sent to affected organisations back to the group’s data leak site.
For LastPass, the timing is awkward. The company’s 2022 breach, in which hackers stole its entire store of encrypted customer password vaults, drew lasting scrutiny: attackers were subsequently suspected of cracking vaults protected by weak master passwords to steal cryptocurrency wallet keys, with several crypto thefts later attributed to that incident. The current breach does not touch vaults. But it adds another episode to a record that customers are watching closely.
Whether Icarus follows through on its ransom threat, and what support ticket contents ultimately reveal, will determine how serious the downstream exposure proves to be.
