> Back to All Posts

LastPass Confirms Data Breach in Supply Chain Attack

LastPass Data Breach

Password manager giant LastPass has confirmed a data breach affecting customer information stored in its Salesforce environment. The incident traces back to a supply chain attack on Klue, a third-party market intelligence platform, which gave hackers access to authentication tokens that connected into LastPass’s CRM systems. Importantly, the breach did not touch user vaults or LastPass’s core infrastructure.

How the LastPass Data Breach Happened

To understand this breach, you first need to understand how it started — and it did not start at LastPass.

Klue is a sales enablement tool that many enterprise companies use to track competitors and share market intelligence internally. It integrates with platforms like Salesforce and Gong by using OAuth tokens. OAuth is an authentication method that allows one service to access another on a user’s behalf, without sharing passwords directly. Think of it as a digital key that unlocks a specific door.

On June 12, 2026, Klue identified unauthorized activity within its integration infrastructure. Attackers had gained access using compromised legacy credentials tied to an integration service. Once inside, they harvested OAuth tokens belonging to Klue’s customers, including LastPass. Those tokens then acted as skeleton keys, letting the attackers walk straight into connected Salesforce environments.

LastPass confirmed it learned of the incident on the same day Klue detected it. An investigation determined that the threat actor used the stolen tokens to access customer data held within LastPass’s Salesforce environment.

What Data Was Exposed

The breach did not expose vault data, passwords, or encryption keys. LastPass was clear on that point. However, the following customer information was compromised:

Names

  • Phone numbers
  • Email addresses
  • Physical addresses
  • Support case information
  • Sales and CRM-related records

This is contact and relationship data — the kind of information that lives in a sales or support system. It is not the data you store in a password manager, but it is still valuable to attackers. With names, phone numbers, and email addresses in hand, criminals can run targeted phishing campaigns and social engineering attacks with a high degree of credibility.

LastPass also flagged specific sender domains that affected users should treat as suspicious: baccarat.com.au, robinskitchen.com.au, and house.com.au. Any communication arriving from these addresses should be ignored or reported.

Icarus: The Group Behind the Attack

A threat actor group calling itself Icarus has claimed responsibility for the broader Klue supply chain attack. The group operates an extortion model — it steals data, then pressures victims to make contact through the Session messaging platform to prevent public leaks.

Icarus did not target LastPass specifically. Instead, it compromised Klue’s infrastructure and used that single point of access to reach dozens of connected organizations simultaneously. This approach is the defining characteristic of a supply chain attack: rather than attacking each target individually, the adversary finds a shared dependency and exploits that instead.

LastPass was one of several named victims. Others include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. Nearly all reported that data was taken from their Salesforce instances, with no impact to their core platforms, payment systems, or internal infrastructure.

What LastPass Did in Response

LastPass moved quickly after discovering the breach. The company disabled employee access to Klue, rotated the exposed API and OAuth tokens, and notified law enforcement. An investigation is ongoing, and the company confirmed it is cooperating with authorities.

Users’ vault data and master passwords were not involved at any point. LastPass has also advised customers not to share their master password with anyone, regardless of who is asking.

What This Means for LastPass Users

The practical risk here is phishing. Attackers now hold contact information for a subset of LastPass customers. They may use it to craft convincing emails or calls that appear to come from LastPass support, security teams, or even law enforcement.

Be skeptical of any unsolicited communication that asks you to verify account details, click a link, or provide your master password. LastPass will not ask for your master password through any channel. If you receive something that feels off, go directly to the official LastPass website to verify.

Final Thoughts

The LastPass data breach is a clear example of how third-party risk can become a company’s risk. LastPass did not get hacked directly. Its systems held up. But a vendor it trusted was compromised, and that was enough. Customer contact data is now in the hands of an active extortion group.

For users, the vault remains safe. But the threat of follow-on phishing is real, and staying alert to suspicious communications is the most practical step right now. Supply chain attacks are growing more common precisely because they are effective — and this incident is a reminder that the weakest link in a security chain does not have to be the most obvious one.

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.