Customer CRM Data Accessed in Supply Chain Incident
LastPass experienced a security incident through Klue, a third-party market intelligence platform integrated with its Salesforce and Gong systems. On June 12, 2026, LastPass was notified that an unauthorized actor exploited stolen OAuth tokens held by Klue to access customer relationship management data within LastPass's Salesforce environment. The exposed information includes customer names, email addresses, phone numbers, physical addresses, support case data, and sales records. Multiple Klue customers were affected by this supply chain attack. LastPass confirmed no Gong data was accessed, and customer vaults, master passwords, and encrypted vault data remain unaffected. The company has terminated Klue access, rotated compromised API tokens, and is cooperating with law enforcement while warning customers about potential phishing attempts using the exposed contact information.
AI Analysis
Technical Summary
On June 12, 2026, LastPass was notified that an unauthorized actor used stolen OAuth tokens from Klue, a third-party vendor integrated with LastPass's Salesforce and Gong systems, to access customer CRM data in LastPass's Salesforce environment. The compromised data includes personally identifiable information and sales-related records. The incident is a supply chain attack affecting multiple Klue customers. LastPass confirmed that no Gong data or encrypted vault data was accessed. The company responded by terminating Klue's access and rotating API tokens to prevent further unauthorized access. They are also cooperating with law enforcement and alerting customers to potential phishing attempts leveraging the exposed contact information.
Potential Impact
The incident resulted in unauthorized access to sensitive customer relationship management data, including personal and sales information. This exposure increases the risk of targeted phishing attacks against affected customers. However, critical security assets such as customer vaults, master passwords, and encrypted vault data were not compromised. The breach affects multiple Klue customers, indicating a broader supply chain impact beyond LastPass alone.
Mitigation Recommendations
LastPass has terminated Klue's access and rotated the compromised API tokens to prevent further unauthorized access. Customers have been warned about potential phishing attempts using the exposed contact information. Organizations using Klue or similar third-party integrations should review their OAuth token management and consider revoking and rotating tokens where appropriate. Monitoring for phishing attempts targeting exposed contacts is advised. Patch status is not applicable as this is a supply chain incident involving third-party token compromise rather than a software vulnerability.
Indicators of Compromise
- ip: 138.226.246.94
- ip: 94.154.32.160
- domain: baccarat.com.au
Customer CRM Data Accessed in Supply Chain Incident
Description
LastPass experienced a security incident through Klue, a third-party market intelligence platform integrated with its Salesforce and Gong systems. On June 12, 2026, LastPass was notified that an unauthorized actor exploited stolen OAuth tokens held by Klue to access customer relationship management data within LastPass's Salesforce environment. The exposed information includes customer names, email addresses, phone numbers, physical addresses, support case data, and sales records. Multiple Klue customers were affected by this supply chain attack. LastPass confirmed no Gong data was accessed, and customer vaults, master passwords, and encrypted vault data remain unaffected. The company has terminated Klue access, rotated compromised API tokens, and is cooperating with law enforcement while warning customers about potential phishing attempts using the exposed contact information.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
On June 12, 2026, LastPass was notified that an unauthorized actor used stolen OAuth tokens from Klue, a third-party vendor integrated with LastPass's Salesforce and Gong systems, to access customer CRM data in LastPass's Salesforce environment. The compromised data includes personally identifiable information and sales-related records. The incident is a supply chain attack affecting multiple Klue customers. LastPass confirmed that no Gong data or encrypted vault data was accessed. The company responded by terminating Klue's access and rotating API tokens to prevent further unauthorized access. They are also cooperating with law enforcement and alerting customers to potential phishing attempts leveraging the exposed contact information.
Potential Impact
The incident resulted in unauthorized access to sensitive customer relationship management data, including personal and sales information. This exposure increases the risk of targeted phishing attacks against affected customers. However, critical security assets such as customer vaults, master passwords, and encrypted vault data were not compromised. The breach affects multiple Klue customers, indicating a broader supply chain impact beyond LastPass alone.
Mitigation Recommendations
LastPass has terminated Klue's access and rotated the compromised API tokens to prevent further unauthorized access. Customers have been warned about potential phishing attempts using the exposed contact information. Organizations using Klue or similar third-party integrations should review their OAuth token management and consider revoking and rotating tokens where appropriate. Monitoring for phishing attempts targeting exposed contacts is advised. Patch status is not applicable as this is a supply chain incident involving third-party token compromise rather than a software vulnerability.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cyberpress.org/lastpass-confirms-customer-crm/"]
- Adversary
- null
- Pulse Id
- 6a3ab4c93adb7c2764a5fa23
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip138.226.246.94 | — | |
ip94.154.32.160 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbaccarat.com.au | — |
Threat ID: 6a3add77eed863c81e82fa14
Added to database: 06/23/2026, 19:24:39 UTC
Last enriched: 06/23/2026, 19:39:19 UTC
Last updated: 06/24/2026, 19:24:41 UTC
Views: 20
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.