LastPass has disclosed that it was impacted by a supply chain security incident stemming from a breach of its third-party vendor, Klue — a market intelligence platform used by LastPass’s go-to-market teams. The attack resulted in unauthorized access to customer data stored within LastPass’s Salesforce CRM environment. Crucially, the company confirmed that its core password management infrastructure and encrypted customer vaults were not affected.
How the Attack Unfolded
The incident began on June 12, 2026, when LastPass was notified of suspicious activity affecting Klue. Klue integrates with enterprise platforms including Salesforce and Gong, enabling bidirectional data synchronization across customer relationship management and revenue intelligence systems. Threat actors exploited this integration by obtaining OAuth tokens that Klue stored on behalf of its customers — including LastPass.
Using those stolen tokens, attackers bypassed traditional credential-based authentication and accessed LastPass’s Salesforce instance directly through the trusted API connection that Klue had established. This technique — abusing valid OAuth tokens rather than stolen passwords — is increasingly common in supply chain attacks because it sidesteps MFA controls and leaves minimal traces in standard authentication logs.
What Data Was Exposed
LastPass confirmed the compromised data was limited to information within its Salesforce environment connected to Klue. This includes:
- Customer names, email addresses, and phone numbers
- Physical mailing addresses
- Support case details
- Sales-related records and CRM data
No master passwords, encrypted vault data, authentication secrets, or core product infrastructure was accessed. There is also no evidence that Gong systems connected to Klue were accessed during the intrusion.
Incident Response Actions
Upon detection, LastPass moved quickly to contain the incident:
- All employee access to Klue was immediately revoked
- Exposed API and OAuth tokens were rotated
- A joint investigation was launched with Klue and Salesforce
- Law enforcement agencies were notified
- LastPass’s Threat Intelligence, Mitigation, and Escalation (TIME) team began sharing threat intelligence with the broader security community
The company is also implementing additional safeguards focused on third-party integrations and token lifecycle management.
Indicators of Compromise
LastPass identified several indicators of compromise (IOCs) associated with the attack. Security teams are advised to monitor for the following in their environments:
- Suspicious IPs: 138.226.246[.]94, 94.154.32[.]160, 159.183.215[.]61, 159.183.181[.]239
- Malicious sender domains: baccarat.com[.]au, robinskitchen.com[.]au, house.com[.]au
Note: addresses are intentionally defanged. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Phishing Risk for Affected Customers
While no passwords or vault data were stolen, the exposed CRM data — including names, emails, and phone numbers — is sufficient for highly targeted phishing and social engineering attacks. Attackers could impersonate LastPass support staff or send convincing lures referencing details visible only in legitimate customer records. LastPass has advised customers to remain cautious of unsolicited communications and reminded users that the company will never request master passwords through any channel.
The Bigger Picture: OAuth and Third-Party Risk
This incident is a textbook illustration of the systemic risk posed by SaaS integration sprawl. Modern enterprises connect dozens of SaaS platforms through OAuth integrations, often granting broad data access scopes without robust monitoring of token usage. When one integration partner is compromised, every connected platform becomes a potential pivot point.
Security teams should audit their OAuth integrations regularly, enforce least-privilege scopes, implement token usage anomaly detection, and maintain a clear inventory of which third parties have access to which internal systems. The LastPass-Klue incident demonstrates that even a security-focused company with a well-resourced security team can be exposed through a vendor it has limited visibility into.
This is the second significant security incident for LastPass in recent years, and it underscores the ongoing challenges facing credential management and identity security companies in an environment of sophisticated, persistent adversaries who exploit trusted third-party relationships rather than attacking hardened targets directly.