LastPass said hackers accessed customer data from its Salesforce environment after stealing OAuth tokens in the Klue supply chain attack earlier this month, though its products, services and infrastructure were not affected.
KEY FACTS
- Incident Unauthorized access involved OAuth tokens taken from Klue.
- Scope The exposure was limited to data in LastPass’ Salesforce environment.
- Unaffected systems Customer vaults and core services remained secure.
- Possible data Names, phone numbers, email addresses, physical addresses, support case details and sales or CRM data may have been exposed.
LastPass said it learned on June 12 that Klue, a third-party market intelligence platform used by its go-to-market teams, had been hit in a supply chain incident that affected integrations with Salesforce and Gong. The company said it then began an investigation.
The disclosure said an unauthorized actor obtained OAuth tokens Klue held for many customers, including LastPass, and used them to reach customer data in the company’s Salesforce environment. The investigation found no evidence that Gong-related data was accessed, according to the report.
LastPass said it has disabled employee access to Klue, rotated exposed API and OAuth tokens, and notified law enforcement while the investigation continues. It also warned that attackers may use the information in phishing or social engineering campaigns and said only official support channels should be trusted.
The Klue breach was claimed by the Icarus extortion group, which said it stole CRM data from multiple organizations after compromising Klue infrastructure through legacy integration credentials. Reported victims included Recorded Future, Tanium, Jamf, Sprout Social, Gong and Insurity.
WHY IT MATTERS
The case shows how a breach at one vendor can expose data held in connected systems used by other companies. For affected users, the main risk is follow-up phishing or social engineering using contact and support information from the exposed records.