LastPass customer data exposed through Klue supply chain attack

LastPass disclosed that attackers used OAuth tokens compromised in a supply chain attack on Klue, a market intelligence platform that integrates with CRM and sales tools across organizations, to access customer data stored in its Salesforce environment.

“On June 12th LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams which integrates with our Salesforce and Gong systems,“ LastPass said.

“We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.“

The company said the incident was limited to systems integrated with Klue’s platform and did not affect its products, services, infrastructure, or customer vaults.

According to LastPass, the exposed data included standard business contact information and CRM records, including customer names, phone numbers, email addresses, physical addresses, support case information, and sales-related records.

LastPass warned that the exposed contact details could be used in phishing or social engineering attacks and urged customers to be wary of unsolicited emails, phone calls, or requests for sensitive information, adding that it will never ask users for their master passwords.

After discovering the breach, LastPass revoked employee access to Klue, rotated the exposed API tokens, and launched an investigation with Klue and Salesforce. The company also notified law enforcement and released indicators of compromise, including IP addresses and email sender domains.

LastPass previously suffered a major breach in 2022, when attackers stole customer password vault backups. Three years later, researchers at TRM Labs linked cryptocurrency thefts to credentials recovered from some of the stolen vaults, with on-chain evidence pointing to possible Russian-speaking threat actor involvement.

Klue breach triggers security vendor disclosures

Last week, cybersecurity vendor Huntress acknowledged that it was among multiple companies affected by a breach originating at Klue.

Huntress published a detailed account of the incident on June 18, describing it as a “security domino effect” that began with a compromised integration credential and led to the theft of customer data from several connected platforms, including Salesforce.

Several other security vendors, including Recorded Future, Tanium, and Jamf, have also disclosed their involvement and published statements detailing how they were affected.

An extortion group known as “Icarus,” active since late April 2026, claimed responsibility for the attack on its data leak site.

“Based on our investigation to date, the incident was limited to the affected third-party platforms, and there is no evidence that customer content stored within the Klue platform was impacted,” Klue CEO Jason Smith noted.

“We recognize that customers rely on Klue to securely connect to their systems, and we understand the seriousness of that responsibility.”

“Since identifying the incident, we have been communicating directly with affected customers, sharing investigative findings and supporting their response efforts. Specific remediation guidance has been shared directly with affected customers,” Smith concluded.

According to Klue, the incident was traced to a credential created for a limited pilot project in 2022 that was later used by attackers to access customer data.

“The threat actor will likely continue to post the data of the companies that it compromised from the Klue breach. Icarus will also likely continue to put pressure on impacted organizations to pay a ransom in exchange for not releasing their data,” Huntress stated.

Klue did not say whether it had been in contact with the hackers or planned to negotiate with them.