LastPass discloses another data breach via Klue supply chain attack, customer data exposed

Another day, another data breach for the widely-known password manager… LastPass has disclosed yet another data breach stemming from a security incident at Klue, a third-party market intelligence provider integrated with LastPass’s Salesforce and Gong platforms. The incident, which occurred in early June, impacted multiple companies, including LastPass.

During their investigation, LastPass found that an unauthorized party obtained OAuth authorization tokens managed by Klue for several clients. Using these tokens, the threat actor was able to access customer data that LastPass maintained within its Salesforce environment.

At this stage, the data accessed was limited to business contact information and basic customer relationship management records, such as customer names, phone numbers, email addresses, physical addresses, as well as support and sales case information. LastPass has stated that there is no indication that customer vaults, the company’s main products, or infrastructure were affected. Additionally, no Gong-related data was accessed during the breach.

Once notified, LastPass completed its remediation steps, including rotating all exposed Klue OAuth tokens and restricting further access. Following these actions, LastPass advises customers to remain vigilant for potential phishing or social engineering efforts that may use the leaked contact details.