LastPass has disclosed that customer information was accessed by cybercriminals after attackers stole OAuth authentication tokens during a recent supply chain breach involving the third-party platform Klue.
The password management company stated that its core infrastructure, products, and customer password vaults were not compromised during the incident. However, the attackers were able to access certain customer records stored within LastPass’ Salesforce environment.
According to LastPass, the company became aware of the breach on June 12 after Klue, an AI-powered market intelligence platform used by its sales and marketing teams, reported unauthorized access to customer OAuth tokens. These tokens allowed the threat actor to gain entry into Salesforce environments connected to Klue, including LastPass.
What Data Was Exposed?
LastPass says the attacker may have obtained various customer-related records, including:
- Customer names
- Email addresses
- Phone numbers
- Physical mailing addresses
- Support case details
- Sales and CRM information
The company noted that its investigation found no evidence that data from Gong, another connected platform used for customer communications, was accessed.
Increased Risk of Phishing Attacks
While password vaults and master passwords remain secure, the exposed customer information could be used in targeted phishing campaigns and social engineering attacks. Cybercriminals often leverage stolen contact details to impersonate trusted organizations and trick victims into revealing sensitive information.
LastPass is urging customers to remain cautious of unexpected emails, phone calls, or messages claiming to be from the company. Users should never share their master password or other sensitive credentials.
Icarus Extortion Group Claims Responsibility
The attack has been linked to the Icarus extortion group, which claims to have breached Klue’s infrastructure by exploiting compromised legacy credentials associated with an integration service.
After gaining access, the attackers reportedly stole OAuth tokens that connected Klue to customer Salesforce environments. The threat actors then extracted CRM data and launched an extortion campaign targeting affected organizations.
Several well-known companies were reportedly impacted by the breach, including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.
LastPass Responds
In response to the incident, LastPass has:
- Disabled employee access to Klue
- Rotated exposed API and OAuth credentials
- Notified law enforcement authorities
- Continued its forensic investigation
The breach highlights the growing cybersecurity risks associated with third-party vendors and supply chain attacks. Even when an organization’s own systems remain secure, compromised integrations can create pathways for attackers to access valuable customer information.