Another LastPass security breach traces back to a compromised vendor

LastPass is dealing with yet another security incident, but this time, the company says the problem came from one of its vendors, rather than the infamous breaches it has suffered in the past.

The company has confirmed in a blog post that hackers accessed some customer information after compromising Klue, a third-party competitive intelligence platform used by LastPass’ go-to-market teams. LastPass said it first became aware of the incident on June 12. In an investigation, it was found that attackers gained access to OAuth tokens stored by Klue, which gave them access to connected services used by several customers, including LastPass. The compromised integrations linked Klue to Salesforce and Gong environments used by LastPass.

The exposed details include customer names, email addresses, phone numbers, physical addresses, support case records, and some sales-related data. LastPass stressed that its own infrastructure wasn’t breached and that password vaults, encrypted credentials, and core services remained untouched.

Separately, Klue said the attackers accessed the system using a compromised legacy credential associated with an integration tool. Once inside, threat actors were able to steal customer OAuth tokens and use those tokens to extract data from connected cloud platforms. Since then, the company has revoked affected credentials, disabled several integrations, and removed the malicious access from its systems.

Salesforce’s security team also had to step in after seeing suspicious activity and disabled Klue’s app connection. The CRM giant said the problem was with the third-party app and not due to a vulnerability in Salesforce itself.

For LastPass users, the company says no action is required to protect stored passwords because vault data was not involved. However, affected customers should be more vigilant. Attackers can use contact information and support tickets to launch phishing attempts and social engineering campaigns.