LastPass Confirms Customer Data Breach After Klue OAuth Token Theft

Summary

LastPass has confirmed a customer data breach resulting from the Klue supply chain incident. An unauthorized actor exploited stolen OAuth tokens from Klue, a market intelligence platform, to access customer relationship management data stored in LastPass's Salesforce environment. The exposed data includes customer names, contact information, and sales records, but LastPass products and customer vaults were not affected.

Full text

Data BreachesLastPass Confirms Customer Data Breach After Klue OAuth Token TheftbyWaqasJune 23, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening LastPass has confirmed it was affected by the Klue supply chain incident, saying an unauthorised actor used stolen OAuth tokens from the third-party market intelligence platform to access customer data stored in its Salesforce environment. The company said it learned of the Klue incident on June 12, 2026, after Klue, a market intelligence platform used by LastPass go-to-market teams, notified customers about unauthorised activity. Klue integrates with business tools, including Salesforce and Gong, which made the stolen tokens valuable because they could be used to reach connected customer systems without needing normal login credentials. According to LastPass, the exposed data was limited to customer relationship management information inside Salesforce. This included customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related records. The company said LastPass products, services, infrastructure, and customer vaults were not affected. The incident follows earlier reporting that Salesforce disabled Klue Battlecards’ integration infrastructure on June 17, 2026, after detecting unusual activity involving the app’s connection to Salesforce. Salesforce said the issue was limited to Klue’s app connection and did not come from a vulnerability in the Salesforce platform itself. The Klue incident has already been linked to data theft from several companies using the platform. The group behind these attacks is a new extortion group named Icarus, after it gained access to Klue’s backend systems, pushed a malicious code update, and harvested OAuth tokens used by customer integrations. Those tokens were then used to query Salesforce environments and copy CRM data. Icarus on its dark web leak site (Image credit: Hackread.com) OAuth tokens are designed to let connected applications share information without asking users to log in repeatedly. That convenience also creates risk when a third-party service holding those tokens is compromised, because attackers may be able to access connected systems until the tokens are revoked or rotated. LastPass said it has completed remediation and rotated the exposed Klue OAuth tokens. The company also discontinued employee access to Klue, launched an investigation with Klue and Salesforce, and notified law enforcement. Its ongoing response includes sharing technical details with the security community and adding safeguards to reduce the chance of similar incidents. For customers, LastPass advised caution around phishing and social engineering attempts, since exposed contact details and CRM records can be used to make scams look more credible. The company also reminded users that LastPass staff will never ask for a master password and that official support communication should come through trusted LastPass channels. The company published indicators of compromise connected to the incident, including IP addresses and email sender domains. Those details are meant to help organisations review logs and spot activity linked to the Klue campaign. Klue supply chain attack explained The Klue case adds to a run of incidents where attackers abused third-party application access to reach Salesforce data. In earlier cases, compromised app tokens and integrations were used to pull large volumes of CRM information from customer environments. These incidents show how SaaS connections can become an entry point even when the main platform is not directly breached. If your company is using integrated sales and marketing tools, the LastPass disclosure is a prime example to review which apps have access to CRM data, revoke unused connections, rotate tokens after vendor incidents, and monitor API activity for unusual data exports. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts Cyber AttackCybersecuritydata breachKlueLastpassOAuthPassword managerPrivacySalesforceVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Data Breaches Social Media Instagram Recovery Tool Bug Exposed 20,225 Accounts to Password Reset Abuse Meta says an Instagram recovery tool bug allowed attackers to abuse password resets, affecting 20,225 accounts and exposing users without 2FA to account takeover risk. byWaqas Read More Hacking News Data Breaches Leaks Handala Hackers Claim Massive Data Breach on Israeli Police, Leak 350,000 Files Iranian-linked hackers claim to have breached Israeli police systems, stealing 2.1TB of sensitive data. Police deny the breach. Learn more about the alleged hack and its implications. byWaqas Security Cyber Attacks Data Breaches Hacking News Operation Lunar Peek: More Than 2,000 Palo Alto Network Firewalls Hacked The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012… byWaqas News Data Breaches Police Accessed Proton Mail User Data in Terrorism Probe Encrypted email services like ProtonMail and Wire promise privacy, but can they guarantee anonymity? A recent case in Spain has users questioning the limitations of encryption when law enforcement steps in. byDeeba Ahmed

Entities