LastPass is warning users that personal data was accessed after hackers hit Klue, an outside market research partner connected to its sales and customer systems.
The password manager says customer vaults were not affected, but the incident exposed business contact, CRM, support, and sales-related data, according to 9to5Mac . For a company built on trust around credentials, even a partner-linked breach lands hard.
LastPass alerts users after Klue breach exposes contact and support data
LastPass is emailing affected users after a breach at Klue, a market research firm used by the company’s go-to-market teams. The attack allowed hackers to access customer information and support case data tied to LastPass.
LastPass said the exposed data was limited to standard business and CRM information, not password vault contents.
“The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.”
That distinction matters. Vault data is the crown jewel for a password manager. CRM and support data, while less sensitive than stored credentials, can still give attackers enough detail to craft credible phishing emails, impersonate support staff, or target users with account-specific lures.
The company said it revoked employee access to Klue after learning of the incident. It also rotated exposed API tokens, notified law enforcement, and opened “a detailed investigation into the scope of the event, working with our contacts at both Klue and Salesforce.”
BleepingComputer reported that LastPass was made aware of the Klue incident on June 12th, and that attackers obtained OAuth tokens Klue held for customers including LastPass. Those tokens were then used to access LastPass customer data in its Salesforce environment.
Klue’s platform integrates with Salesforce and Gong systems, according to LastPass. BleepingComputer reported that LastPass found no evidence of access to Gong-related data, which can include customer calls and emails.
The disclosed scope still has gaps. LastPass has not provided, in the available reporting, a public count of affected users.
Partner-linked incident adds pressure after LastPass’s previous security failures
This is not a repeat of LastPass’s worst prior breach pattern, but it hits the same nerve: users trusted a password manager, and attackers still reached data connected to that relationship.
The latest incident stems from a third-party partner rather than a reported direct compromise of LastPass’s own products or vault infrastructure. That does not make it harmless. It shifts the weak point from the password vault to the vendor chain around customer management and support.
MLXIO analysis: The practical risk is not mass vault cracking based on what LastPass has disclosed. The risk is precision fraud. Names, phone numbers, email addresses, physical addresses, support cases, and sales records can help an attacker sound legitimate when contacting a user.
LastPass is explicitly warning customers to “remain vigilant of potential phishing attacks or social engineering attempts” using the stolen data. That is the right risk frame: attackers do not need a vault if they can trick a user or employee into handing over access.
The incident also sharpens the reputational problem because LastPass has been here before in different forms.
| Year | Reported incident | Vault impact reported |
|---|---|---|
| 2015 | Hackers obtained account email addresses, password reminders, authentication hashes, and cryptographic salts | LastPass said encrypted vault data was not accessed |
| 2022 | An attacker compromised a developer account, stole source code and technical information, then accessed cloud backups containing customer records and encrypted password vaults | Encrypted password vaults were accessed, along with unencrypted names, billing addresses, email addresses, and phone numbers |
| 2026 | Hackers accessed LastPass customer data through Klue-linked access to CRM/support systems | LastPass says password vaults were not affected |
For readers tracking how hidden supplier dependencies keep surfacing in tech risk, MLXIO’s Future Trends Everyone Keeps Misreading — Here's Why and Key Trends Reveal the Next Tech and Finance Shake-Up offer broader context on why indirect exposure can matter as much as the headline product.
LastPass also published technical indicators tied to the attackers. Security teams can search for related activity using these details:
- IP addresses: 138.226.246[.]94, 94.154.32[.]160, 159.183.215[.]61, 159.183.181[.]239
- Email sender domains: baccarat.com[.]au, robinskitchen.com[.]au, house.com[.]au
That list is useful for enterprise defenders. For individual users, the more likely exposure is a convincing email, text, or phone call that references real support or account details.
LastPass users should verify alerts and tighten account security now
Users who receive a breach notice should verify it through official LastPass channels before clicking links or opening attachments. Unexpected emails claiming to be about this incident deserve extra scrutiny, especially if they push urgency around account resets, vault access, or software updates.
LastPass users should not share their master password with anyone. If LastPass directly advises a master password change for a specific account, users should follow that guidance through the official site or app rather than through an emailed link.
Practical steps now:
- Verify: Check notices by going directly to LastPass’s official website or app, not through unsolicited links.
- Review MFA: Confirm multi-factor authentication is enabled and tied to trusted devices or apps.
- Watch accounts: Monitor accounts tied to exposed contact details, especially if a support case included sensitive context.
- Scrutinize support claims: Treat calls or emails referencing LastPass support history as potentially hostile unless independently verified.
- Preserve evidence: Save suspicious messages, headers, sender domains, and timestamps for security teams or LastPass support.
The next disclosures matter. Watch whether LastPass provides a count of affected users, expands the data categories, releases more indicators, or says whether regulators have contacted the company or Klue.
The immediate scenario is clear: vaults are not reported compromised, but attackers may now have enough customer context to make scams look personal. That makes user verification, not panic, the first line of defense.
Impact Analysis
- LastPass says password vaults were not affected, but exposed CRM and support data can still enable targeted phishing.
- The breach came through Klue, showing how third-party vendors can create security risk for trusted services.
- LastPass revoked Klue access, rotated exposed API tokens, notified law enforcement, and began investigating the incident.
