On June 12, 2026, Klue detected an intrusion in its systems. The impact spilled beyond the market-intelligence vendor to hit LastPass: OAuth tokens stolen from Klue unlocked access to the password manager's Salesforce environment, exposing names, addresses, phone numbers, emails, and support records of unsuspecting customers. Password vaults and LastPass's own infrastructure were not compromised.
Editor's note: The distinction between intact vaults and exposed relationship data is technically correct, but it narrows the risk perimeter without eliminating it. The stolen data still poses a potential risk for targeted spear-phishing campaigns.
- Stolen data includes names, emails, phone numbers, physical addresses, support tickets, and sales information: the entire human context around the vault, not the vault itself
- The attack vector runs through OAuth tokens Klue held as a SaaS vendor integrated with Salesforce and Gong
- The Icarus group claimed responsibility and threatened to publish the data; no confirmation of an actual leak has emerged as of publication
- LastPass disabled employee access to Klue, rotated the exposed tokens, and notified law enforcement; the investigation found no evidence of access to Gong data
The Mechanism: OAuth as a Third-Party-Controlled Trust Bridge
The technical core lies in the delegation chain. Klue, a market-intelligence platform used by LastPass go-to-market teams, held OAuth tokens for integration with Salesforce and Gong. As LastPass stated in its blog, "an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass. The threat actor then used these credentials to access LastPass customer data within our Salesforce environment."
OAuth tokens are designed to be revocable, but their security depends on the ability of the holder — in this case Klue, not LastPass — to protect them and manage their lifecycle. The attack exploited compromised legacy credentials for an integration service, pivoting from initial access to valid tokens. The configuration allowed the threat actor to move laterally from the Klue system to the LastPass Salesforce instance without ever touching the password manager's servers.
LastPass has roughly 33 million users and nearly 1.6 million paying customers as of 2024. The scale of potential harm lies not in the number of records, which remains unknown, but in the quality of the profile that can be built: real names, physical addresses, support history, and commercial context. These elements constitute a potential risk for precision spear-phishing campaigns.
Icarus Extortion and Phishing Domains Already in the Wild
The Icarus group claimed the attack and threatened to publish the data unless a ransom was paid. The source does not specify whether LastPass is in direct contact with the extortionists or if demands arrived through intermediary channels. No confirmation has emerged that the data has already been leaked as of publication.
LastPass has nonetheless actively warned customers of an ongoing phishing campaign, identifying three sender domains already observed: baccarat.com[.]au, robinskitchen.com[.]au, and house[.]com.au. The warning is not generic: recognizing the domains used by the threat actors is operational intelligence customers can use to filter suspicious email. The mechanism by which Icarus controls these .au domains is not known from the available dossier.
Risk Concentration and Multiple Targets
The Klue breach also hit other companies: HackerOne, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. The concentration of OAuth tokens in the hands of a single SaaS vendor created a risk that materialized in parallel across multiple targets. The pattern reflects a pattern that mirrors the industry's widespread reliance on third-party integrations to manage customer-relationship data.
Klue is not a marginal provider: it is an intelligence platform used by sales teams to track competitors and orchestrate go-to-market strategies. Its integration with Salesforce and Gong places it in a privileged position to access sensitive relationship data, not product data.
What to Do Now
- Scrutinize suspicious emails originating from the domains baccarat.com[.]au, robinskitchen.com[.]au, and house[.]com.au: LastPass identified these as senders used in the phishing campaign linked to this incident
- Treat with suspicion any communication citing LastPass support-ticket histories or commercial-contract details: the stolen data includes precisely this context, making phishing more persuasive than generic lures
- Refer to primary sources for any ransom or payment demands invoking the LastPass name: the Icarus group has threatened to publish the data, but the dossier does not document official contact channels used by the extortionists
- Monitor official LastPass communications on the investigation's progress, particularly regarding any confirmation of an actual data leak: for now the threat remains declarative, not verified as executed
"The hackers took customers' names, phone numbers, email addresses, and physical addresses, as well as customer support case data and sales-related data" — LastPass blog post, via TechCrunch
Why the Supply Chain Breaks the Promise Even When the Vault Holds
The technical lesson lies in the geometry of trust. LastPass architected zero-knowledge vaults: not even the company can read stored passwords. But relationship data lives in CRMs managed via OAuth delegation to third-party platforms. The vault is a fortress; the data surrounding it — support, sales, communication — depends on external trust chains.
The market lesson is colder. LastPass users have already suffered an erosion of trust after the 2022 breach, when the vaults themselves were exfiltrated. This incident, while technically distinct, feeds a narrative of structural fragility that the vendor must counter with transparency on supply-chain controls, not just vault encryption. The fact that tokens were rotated and Klue access cut off is reassuring on the reactive side, less so on the preventive side.
Information is based on corporate communications filtered through tech journalism; no structured vendor advisory with an independent evidence map is available. Primary editorial sources (TechCrunch, BleepingComputer) report LastPass and Klue statements without access to internal forensic documentation.
Information has been verified against cited sources and is current as of publication.
Sources
- https://techcrunch.com/2026/06/23/password-manager-maker-lastpass-says-hackers-stole-customer-support-case-data-during-klue-breach/
- https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/
- https://tech.yahoo.com/cybersecurity/articles/password-manager-maker-lastpass-says-151237844.html
- https://thenextweb.com/news/lastpass-klue-supply-chain-breach-customer-data-stolen
- https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
- https://this.weekinsecurity.com/
- https://www.bleepingcomputer.com/
- https://www.bleepingcomputer.com/tutorials/
- https://www.bleepingcomputer.com/download/