LastPass Data Breach Again, What the Klue Hack Actually Exposed
Your vault is safe. Your inbox might not be.
A third-party tool most users have never heard of just became the entry point into LastPass’s customer data. Here’s exactly what got exposed, who’s behind it, and what to actually do about it.
If you’ve seen headlines about another LastPass data breach, you’re probably wondering whether your saved passwords are at risk again. The short answer: this one is different from 2022, but it’s still worth taking seriously.
This time, the breach didn’t start at LastPass at all. It started at Klue, a third-party marketing intelligence platform that LastPass’s sales team uses internally. Attackers compromised Klue, stole authentication tokens, and used those tokens to slip into LastPass’s Salesforce environment — the system that holds customer support and contact records, not password vaults.
This guide walks through exactly what happened, what was and wasn’t exposed, and the specific steps worth taking if you’re a LastPass user.
Your vault wasn’t touched.
Your inbox is now a bigger target.
was first detected
affected by the same attack
confirmed compromised
security incident since 2015
It started with a tool you’ve never heard of
Origin pointKlue is a market intelligence platform that LastPass’s go-to-market team used internally — it had nothing to do with the password manager product itself. On June 12, 2026, LastPass learned that Klue had suffered its own security incident.
An attacker, later identified by a group calling itself Icarus, had compromised Klue’s backend using a stolen legacy credential, then generated OAuth tokens tied to Klue’s integrations with other platforms, including Salesforce and Gong.
This is a textbook supply chain attack: the target wasn’t LastPass directly, but a tool LastPass trusted and connected to its systems.
Stolen tokens opened the door to Salesforce
Access gainedOAuth tokens are designed to let connected apps share data without requiring a fresh login every time. That convenience became the weak point here. With Klue’s stolen tokens in hand, the attacker used them to query LastPass’s Salesforce environment directly and pull data in bulk.
LastPass has confirmed that this access did not extend to its core products, infrastructure, or the systems that actually store encrypted password vaults. The breach was contained to the CRM layer — names, emails, phone numbers, and support case content.
CRM data feels less sensitive than a vault, but it’s exactly the kind of detail that makes a phishing email look legitimate.
What exactly was exposed, and what wasn’t
Scope clarifiedLastPass has been fairly specific here. Exposed: customer names, contact details, and the content of support cases handled through Salesforce. Not exposed: password vaults, master passwords, and the core infrastructure behind the password manager itself.
That distinction matters, but it doesn’t mean the exposed data is harmless. Support case content can include details about account setup, security questions asked during past support interactions, and patterns that make a scam message far more convincing.
“Vaults are safe” is true, but it’s not the same as “nothing to worry about.” Phishing risk is now elevated even without vault access.
LastPass isn’t the only company affected
Wider impactThe Klue attack hit more than one company. Security researchers and affected firms have confirmed that Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity were also impacted through the same compromised integration chain.
Salesforce and Gong have since disabled the Klue integration entirely in response, and over a dozen organizations using Klue are expected to come forward with similar disclosures as the investigation continues.
If you use any service that integrates with Salesforce through a third-party intelligence tool, it’s worth checking whether that vendor has disclosed anything related to Klue.
LastPass staff will never ask
for your master password
What you should actually do right now
Action stepsYou don’t need to change your master password because of this specific incident — vaults weren’t touched. But a few practical steps are worth taking given the exposed contact data:
Be skeptical of any unexpected email or call claiming to be LastPass support, especially anything asking for your master password, payment details, or urgent account verification. LastPass has published specific suspicious sender domains tied to this incident, and legitimate support communication only comes through official channels.
If you reuse your LastPass account email as a recovery address elsewhere, consider whether that email is now more exposed to targeted phishing, and treat unexpected security-related messages with extra caution for the next few months.
The real risk window here isn’t your vault — it’s the next convincing-looking email that references real account details to seem trustworthy.
Emails claiming to be LastPass support asking for your master password · Urgent account verification requests with unfamiliar sender domains · Calls referencing your account details that pressure immediate action · LastPass will never ask for your master password through any channel — treat any request like this as a scam.
This isn’t LastPass’s first rodeo, and that history is part of why this incident is getting attention. The company disclosed a major breach in 2022 that exposed customer metadata and encrypted vault backups, which later led to reports of cryptocurrency theft as attackers cracked weaker master passwords offline. That incident resulted in a £1.23 million fine from the UK Information Commissioner’s Office and a $24.5 million class-action settlement.
The Klue incident is structurally different — it’s a supply chain attack through a third-party tool rather than a direct breach of LastPass’s core systems. But the pattern of “another LastPass breach” headlines, regardless of root cause, reflects a broader issue in software security: companies are only as secure as every vendor and integration they connect to.
This is increasingly common across the industry. Tata Electronics, Recorded Future, and several other firms have disclosed similar third-party-driven incidents in the same month, suggesting that supply chain compromise — not direct attacks on flagship products — is becoming the dominant breach pattern of 2026.