LastPass confirms data breach in Klue supply chain attack
LastPass confirmed a data breach resulting from a supply chain attack on Klue, a third-party market intelligence platform. Attackers stole OAuth tokens from Klue, which were used to access customer data within LastPass's Salesforce environment. The breach exposed customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data. LastPass products, services, infrastructure, and customer vaults were not affected. The attack was linked to the Icarus extortion group, which compromised Klue's infrastructure using legacy credentials. LastPass has taken remediation steps including disabling employee access to Klue and rotating exposed tokens.
AI Analysis
Technical Summary
In June 2026, LastPass disclosed that attackers accessed customer data stored in its Salesforce environment by exploiting OAuth tokens stolen from Klue during a supply chain attack. Klue, an AI-powered market intelligence platform integrated with LastPass's Salesforce and Gong systems, was compromised via legacy credentials, allowing attackers to exfiltrate OAuth tokens. These tokens enabled unauthorized access to LastPass customer data such as names, contact information, and CRM-related details. LastPass confirmed no impact on its core products, services, infrastructure, or customer vaults. The threat actor, identified as the Icarus extortion group, used the stolen data for extortion campaigns and phishing attempts. LastPass responded by disabling Klue access, rotating tokens, notifying law enforcement, and warning customers about phishing risks.
Potential Impact
The breach exposed personally identifiable information (PII) and CRM data of LastPass customers accessible via Salesforce, including names, phone numbers, email addresses, physical addresses, and support case information. This data exposure increases the risk of phishing and social engineering attacks targeting affected customers. However, LastPass's core password management services and customer vaults remained secure and unaffected. No evidence was found that Gong-related data was accessed. The incident also highlights risks associated with third-party integrations and supply chain attacks.
Mitigation Recommendations
LastPass has disabled employee access to Klue and rotated all exposed API/OAuth tokens to prevent further unauthorized access. Customers are advised to remain vigilant against phishing and social engineering attempts, especially unsolicited communications requesting sensitive information. LastPass recommends not sharing master passwords and only trusting official support channels. Since this is a supply chain incident involving third-party OAuth tokens, remediation focuses on token rotation and access revocation. Monitor vendor advisories for updates. Patch status is not applicable as this is an incident involving compromised tokens rather than a software vulnerability.
LastPass confirms data breach in Klue supply chain attack
Description
LastPass confirmed a data breach resulting from a supply chain attack on Klue, a third-party market intelligence platform. Attackers stole OAuth tokens from Klue, which were used to access customer data within LastPass's Salesforce environment. The breach exposed customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data. LastPass products, services, infrastructure, and customer vaults were not affected. The attack was linked to the Icarus extortion group, which compromised Klue's infrastructure using legacy credentials. LastPass has taken remediation steps including disabling employee access to Klue and rotating exposed tokens.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In June 2026, LastPass disclosed that attackers accessed customer data stored in its Salesforce environment by exploiting OAuth tokens stolen from Klue during a supply chain attack. Klue, an AI-powered market intelligence platform integrated with LastPass's Salesforce and Gong systems, was compromised via legacy credentials, allowing attackers to exfiltrate OAuth tokens. These tokens enabled unauthorized access to LastPass customer data such as names, contact information, and CRM-related details. LastPass confirmed no impact on its core products, services, infrastructure, or customer vaults. The threat actor, identified as the Icarus extortion group, used the stolen data for extortion campaigns and phishing attempts. LastPass responded by disabling Klue access, rotating tokens, notifying law enforcement, and warning customers about phishing risks.
Potential Impact
The breach exposed personally identifiable information (PII) and CRM data of LastPass customers accessible via Salesforce, including names, phone numbers, email addresses, physical addresses, and support case information. This data exposure increases the risk of phishing and social engineering attacks targeting affected customers. However, LastPass's core password management services and customer vaults remained secure and unaffected. No evidence was found that Gong-related data was accessed. The incident also highlights risks associated with third-party integrations and supply chain attacks.
Mitigation Recommendations
LastPass has disabled employee access to Klue and rotated all exposed API/OAuth tokens to prevent further unauthorized access. Customers are advised to remain vigilant against phishing and social engineering attempts, especially unsolicited communications requesting sensitive information. LastPass recommends not sharing master passwords and only trusting official support channels. Since this is a supply chain incident involving third-party OAuth tokens, remediation focuses on token rotation and access revocation. Monitor vendor advisories for updates. Patch status is not applicable as this is an incident involving compromised tokens rather than a software vulnerability.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/","fetched":true,"fetchedAt":"2026-06-23T14:09:18.260Z","wordCount":691}
Threat ID: 6a3a938eeed863c81e18d851
Added to database: 06/23/2026, 14:09:18 UTC
Last enriched: 06/23/2026, 14:09:55 UTC
Last updated: 06/23/2026, 14:55:46 UTC
Views: 87
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.