Password manager company LastPass has informed customers that some of their personal information and customer support records were exposed following a cyberattack on one of its third-party vendors.
The incident did not involve LastPass’ own systems. Instead, the breach occurred at Klue, a market intelligence and competitive research platform used by several companies. According to LastPass, attackers gained access to data stored in connected business systems and were able to obtain information related to some LastPass customers.
In a security notice, LastPass said the exposed information may include customer names, email addresses, phone numbers, physical addresses, customer support case data, and sales-related information. The company added that its core infrastructure was not affected and customers’ password vaults remain secure.
The breach is part of a larger security incident involving Klue. The company disclosed that attackers gained access to its systems using a compromised legacy credential tied to an integration service. The attackers then obtained OAuth tokens that allowed access to connected customer environments, including Salesforce instances used by multiple organizations.
Several companies have already confirmed that they were affected by the Klue breach, including cybersecurity firms such as HackerOne, Recorded Future, Tanium, Jamf, Snyk, OneTrust, and others.
The hacking group known as Icarus has claimed responsibility for the attack and reportedly threatened to publish stolen data if its ransom demands are not met.
While LastPass said password vaults were not impacted in this incident, the exposure of customer support records could still be a concern. Support tickets often contain account-related information, billing details, and other sensitive data that users may share while seeking assistance.
The latest incident comes as LastPass continues to deal with the aftermath of its widely publicized 2022 breach. In that attack, hackers stole encrypted backups of customer password vaults. Although the vaults were protected by customers’ master passwords, security researchers later warned that weak master passwords could be cracked through brute-force attacks, potentially exposing stored credentials and sensitive information. Some cryptocurrency thefts were later linked to the fallout from that breach.
Klue discovered the unauthorized access on June 12 and has since disabled affected integrations and revoked compromised tokens. The company has also engaged external cybersecurity experts to investigate the incident.
Neither Klue nor LastPass has disclosed how many customers were affected by the breach. LastPass serves more than 33 million users globally, including around 1.6 million paid customers.
The incident highlights the growing risks associated with third-party software integrations. Even when a company’s own systems remain secure, attackers can target vendors and connected platforms to gain access to customer data across multiple organizations.
Although LastPass has stated that password vaults were not affected in this incident, customers should still remain cautious. The exposed data may include personal information and customer support records, which could potentially be used in phishing attacks or social engineering attempts.
Users should be alert for suspicious emails, phone calls, or messages claiming to be from LastPass or other trusted services. It is also a good idea to review account security settings and ensure that two-factor authentication (2FA) is enabled wherever possible.
Customers who have not changed their LastPass master password since the company’s 2022 breach may also consider updating it, especially if the password is weak or reused across multiple services. Using a long and unique master password remains one of the most effective ways to protect password vaults.
The latest incident is unlikely to impact all LastPass users, but some customers may choose to explore alternative password managers. Some popular alternatives include NordPass, Proton Pass, and 1Password.
But it is important to understand that switching password managers requires careful planning. Users should export their data securely, verify imported credentials, and update their master passwords during the migration process. While no password manager is completely immune to security incidents, choosing a provider with a strong security track record and maintaining good password hygiene can significantly reduce risks.
