Password manager LastPass says a supply chain attack involving third-party vendor Klue exposed customer contact and support information, though customer vaults and stored credentials were not affected.
An unauthorized actor accessed LastPass's Salesforce environment using OAuth tokens stolen from third-party vendor Klue. The breach exposed sensitive customer details including names, phone numbers, and support records.
The incident was limited to systems integrated with Klue and didn't affect LastPass products, infrastructure, or services.
Klue disclosed on June 22 that someone gained access through a compromised legacy credential tied to an integration service. The intrusion led to the theft of OAuth tokens used to connect Klue with third-party platforms, including Salesforce.
The investigation found the stolen tokens were used to access data within connected customer environments. Exposed information included customer names, phone numbers, email addresses, physical addresses, support case information, and sales-related CRM data.
The security incident exposed customer data stored in systems used for LastPass support and sales operations. The incident differs from LastPass's 2022 breach because the Klue compromise didn't expose password vaults or encrypted customer credentials.
LastPass has faced repeated data security incidents
The Klue breach isn't the first time LastPass customer information has been exposed. LastPass disclosed a breach in June 2015 after detecting suspicious activity on its network.
The company said encrypted user vault data wasn't taken. Account email addresses, password reminders, per-user salts, and authentication hashes were compromised.
LastPass faced a much more serious breach in 2022. Attackers first gained access to a development environment before expanding their access to cloud storage resources.
LastPass in the App Store The intrusion resulted in the theft of customer account information and encrypted vault backups. Stolen data included names, billing addresses, email addresses, phone numbers, IP addresses, website URLs, and encrypted vault contents.
The Klue incident is the latest in a series of security incidents involving LastPass customer information.
Exposed customer data could fuel phishing attacks
The Klue breach doesn't appear to have increased the immediate risk to stored passwords based on information released so far. The exposed customer information could still help criminals carry out phishing and social engineering attacks.
Exposed customer contact information and support records could make phishing attacks more convincing. Criminals can use details such as email addresses, phone numbers, and prior support interactions to appear legitimate.
Access to that information may increase the chances of persuading someone to disclose credentials or other sensitive data. LastPass urged customers to remain cautious of unsolicited communications and reminded users that employees will never ask for a master password.
Both companies say they have taken steps to contain the incident. LastPass rotated affected access tokens, disabled employee access to Klue, launched an investigation, and notified law enforcement.
Klue revoked affected credentials and tokens, removed unauthorized code, and disabled impacted integrations. Neither LastPass nor Klue has publicly identified the threat actor responsible for the attack.
How to stay safe
Customer contact information and support records may have been exposed, making phishing and social engineering a more likely risk than password theft.
Customers should be cautious of unexpected emails, text messages, or phone calls claiming to be from LastPass or another trusted company. Avoid clicking links in unsolicited messages and verify account-related requests by visiting official websites directly.
LastPass also reminded customers that employees will never ask for a master password. Anyone who receives a request for a master password should treat it as suspicious and report it through official support channels.
Using multi-factor authentication, unique passwords, and passkeys where available can also help reduce the impact of phishing attempts and account compromise.
