LastPass Confirms Customer Data Stolen in Klue Supply Chain Attack — 33 Million Users Affected

LastPass notified customers on June 23 that personal data and customer support records were stolen following a supply chain attack on Klue, a market intelligence platform LastPass uses in its go-to-market operations. Attackers from a group calling itself Icarus obtained OAuth tokens Klue held on behalf of its customers, used them to access LastPass's Salesforce environment, and extracted customer data before the breach was detected. LastPass has more than 33 million users, though the exact number of affected customers has not been disclosed.

Critically, the breach did not touch LastPass's core infrastructure or the encrypted password vaults that store users' passwords. "The company's own infrastructure was unaffected, including customers' password vaults," the company stated. The stolen data is limited to customer relationship and support data — the kind held in sales and support tooling, not in the password management product itself.

How the Attack Unfolded

The breach traces back to June 12, when Klue CEO Jason Smith publicly confirmed that attackers had gained access to OAuth tokens Klue held for many of its customers. Icarus entered Klue's systems through compromised legacy credentials for an integration service — a class of vulnerability that is often overlooked when organizations rotate credentials for active accounts but leave integration service credentials unchanged. Once inside Klue's infrastructure, the attackers found the OAuth tokens that connected Klue to customers' external SaaS environments, including Salesforce and Gong instances.

LastPass was one of multiple companies whose Salesforce environments were accessible via Klue's compromised OAuth tokens. Other confirmed victims include HackerOne, Recorded Future, Tanium, Jamf, Sprout Social, and Gong. The pattern is the same across each: a vendor with broad OAuth access becomes the attack surface for breaching multiple organizations simultaneously — a single compromise that yields access to many targets.

What Was Stolen From LastPass

The data confirmed stolen includes customer names, phone numbers, email addresses, physical addresses, and the contents of customer support case records. That last category is meaningful: support case contents can include details about a user's account configuration, past security concerns, and troubleshooting steps — information that could be useful for targeted social engineering attacks against affected users.

LastPass has not disclosed how many individual users were affected. The company's 33 million total users includes a mix of free and paid accounts; the exposed Salesforce data likely covers paying customers and users who have contacted support, rather than the full user base.

Icarus: The Threat Actor

Icarus is an extortion group — it does not encrypt victim systems in the manner of traditional ransomware operators. Instead, it steals data and threatens to publish it unless a ransom is paid. The group has publicly threatened to release the LastPass customer data if their demand is not met. Icarus is a relatively recent group with limited prior public profile, though the sophistication of the Klue supply chain attack — identifying and exploiting OAuth tokens across multiple customer environments from a single vendor compromise — suggests an experienced operation.

What LastPass Users Should Do

Because password vaults were not compromised, users do not need to change their master passwords as a direct result of this breach. However, the stolen contact information and support case records create a meaningful phishing risk: users should be alert to targeted emails or calls claiming to be from LastPass that reference specific account details. LastPass will not ask users for their master password by email or phone; any such request should be treated as a phishing attempt regardless of how convincing it appears.

The broader implication is about third-party vendor risk. LastPass did not suffer a direct breach — its own systems were not compromised. It suffered a breach of a vendor that had OAuth access to its customer data, an attack vector that is increasingly common and difficult to defend against because organizations routinely grant broad OAuth permissions to SaaS tools without ongoing monitoring of what those tokens can access.