LastPass Customer Data Exposed in Klue Supply Chain Attack
Password vaults stayed secure. Attackers went through a sales tool, not LastPass's own systems - and six other companies lost data in the same breach.
Hackers stole customer data from LastPass by targeting Klue, a market intelligence platform the company's sales teams use to track competitor data - not LastPass's own systems. Icarus, an extortion group that surfaced in late April 2026, broke into Klue's infrastructure using compromised legacy credentials and pulled OAuth tokens connecting Klue to its enterprise customers' Salesforce accounts. LastPass confirmed Monday that attackers used those tokens to reach its Salesforce environment. Password vaults stayed secure.
Attackers Entered Through Klue's OAuth Tokens, Not LastPass Systems
Icarus got into Klue using legacy credentials for an integration service - a standard set of login credentials that should have been decommissioned or rotated. From there, the group collected OAuth tokens that Klue stored on behalf of its customers, including the token Klue held for LastPass's Salesforce account.
Customer data accessed inside LastPass's Salesforce environment includes names, phone numbers, email addresses, physical addresses, support case records, and sales data. An investigation into Gong-related data - which would have included recorded customer calls - found no evidence of access there.
Six Other Companies Were Caught in the Same Attack
LastPass was not Icarus's only target. Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity all appear on the list of companies that lost Salesforce data through the same Klue breach.
OAuth-based supply chain attacks are harder to anticipate than direct intrusions - a company with strong perimeter security can still lose data through an integration tool that stores its credentials on the company's behalf. For LastPass customers who remember the 2022 vault breach, the distinction matters here: Icarus never reached the password management layer. Klue and Salesforce held the data that was accessed.
Password vaults are safe and unchanged - do not change your master password unless you reuse it elsewhere. Watch for phishing. LastPass flagged three suspicious sender domains it does not own: baccarat.com.au, robinskitchen.com.au, and house.com.au. Any message from those addresses claiming to be LastPass is not legitimate. Never share your master password with anyone claiming to be LastPass support.
LastPass Cut Klue Access and Notified Law Enforcement
LastPass learned of the incident on June 12 after Klue disclosed the breach. Employees lost Klue access immediately. LastPass then rotated all exposed API and OAuth tokens and notified law enforcement, with the investigation still ongoing.
Icarus typically follows stolen CRM data with personalized phishing campaigns - attackers now have names, phone numbers, and physical addresses for LastPass customers, which is enough to impersonate support agents convincingly. How many of Klue's other customers are still assessing their exposure has not been made public.
