The LastPass Klue data breach has exposed customer names, phone numbers, email addresses, physical addresses, and customer support case records, the password manager maker has confirmed, though LastPass says its own infrastructure and password vaults were not touched.
The breach did not originate at LastPass. It originated at Klue, a market research and competitive intelligence firm headquartered in Vancouver, British Columbia. Klue CEO Jason Smith disclosed that attackers were identified inside Klue’s systems on 12 June.
So: a vendor your password manager used for sales intelligence suffered a breach, and now your contact details and support ticket history are in the hands of a ransomware group. That is the supply chain problem in miniature.
What the LastPass Klue Data Breach Actually Exposed
The attack vector was a compromised legacy credential tied to an integration service. According to CSO Online, the attacker used that credential to obtain OAuth tokens connecting Klue to third-party platforms, including Salesforce and Gong. From there, Python scripts were used to query Salesforce APIs and exfiltrate large volumes of CRM data, including business contacts, sales communications, and pricing information.
Salesforce subsequently disabled the Klue Battlecards integration and stated that ‘this issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform.’ Organisations cannot reconnect through the integration until further notice.
According to a CyberInsider report citing a LastPass security advisory, the attackers accessed customer information stored in Salesforce using OAuth credentials associated with the Klue integration. In response, LastPass revoked and rotated all affected OAuth tokens, disabled employee access to Klue, and launched a coordinated investigation with both Klue and Salesforce.
LastPass has more than 33 million users and around 1.6 million paying customers as of 2024. The company has not stated how many customers are affected by this particular incident.
Icarus, OAuth, and a Growing Victim List
A hacking and extortion group called Icarus has claimed responsibility for the Klue breach and threatened to release stolen data if a ransom is not paid. Huntress independently linked the Icarus group to the attack through Session Messenger IDs used in extortion emails and the group’s data leak site, according to TechEchelon.
LastPass is far from alone. At least nine Klue customers have publicly disclosed impact, according to BleepingComputer, including HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Sprout Social, and Insurity.
Five of those, specifically Huntress, ReliaQuest, Recorded Future, Jamf, and Tanium, confirmed to Infosecurity Magazine that the breach enabled unauthorised access to their Salesforce accounts via stolen OAuth tokens used for Klue integrations. Revenue intelligence platform Gong also disabled its Klue integration after discovering hackers had exploited it to access internal licensed user data, SecurityWeek reports. Klue engaged CrowdStrike for incident response and revoked the affected credentials.
The incident occurred across 11–12 June and primarily affected Klue’s integration with Salesforce, resulting in data being exfiltrated from the Salesforce instances of multiple customers.
What makes the Klue breach particularly awkward for everyone on that victim list is the sector overlap. These are cybersecurity companies, firms whose entire commercial proposition rests on helping others defend their data. Seeing HackerOne, Recorded Future, and Tanium on the same breach disclosure list as a password manager is the kind of thing that tends to keep CISOs quiet at conferences.
None of which is to say their security teams failed. OAuth supply chain compromises are genuinely hard to defend against: a legacy credential at a vendor you do not directly control becomes the door. The lesson is less about individual firms and more about how broadly a single integration pivot can reach.
There is also the matter of LastPass’s recent history. In 2022 the company suffered a breach in which hackers stole its entire store of customer password vaults. Those vaults were encrypted, but attackers were subsequently able to brute-force accounts protected by weak master passwords and access credentials, tokens, and credit card data stored inside. Several cryptocurrency thefts were later linked to that breach.
This time, LastPass says the vaults are untouched. But customer support records are not trivial: they frequently contain billing details, account recovery requests, and in some cases fragments of identity information. The full contents of the exfiltrated tickets remain unknown.
The ransom clock Icarus set is running. Whether Klue engages, and what gets published if it does not, is the next thing to watch.
