The weakest link was outside the password vault.
Boston, June 2026
LastPass has confirmed that hackers accessed personal information belonging to some of its customers after compromising Klue, a market intelligence provider connected to the company’s Salesforce environment. The attackers reportedly obtained OAuth tokens that allowed them to impersonate legitimate applications and enter integrated systems without using conventional passwords. LastPass said its core infrastructure, password-management products and encrypted vaults were not breached. The incident instead demonstrates how trusted external services can become indirect gateways into sensitive corporate data.
The unauthorized activity was detected on June 12 and involved Klue’s integration with Salesforce, a platform commonly used to manage customer relationships, sales activity and business communications. OAuth tokens function as temporary digital credentials that allow approved applications to communicate with each other without repeatedly requesting usernames and passwords. When stolen, those tokens can permit an attacker to operate as though an authorized service were making the request. This method can delay detection because the activity may initially resemble normal communication between connected platforms.
According to the information disclosed by LastPass, the exposed records included customer names, telephone numbers, email addresses, physical addresses and information associated with sales activities. The company emphasized that passwords, master passwords and the contents of customer vaults were not involved. There was also no indication that hackers entered the systems responsible for operating the LastPass password manager. That distinction reduces the likelihood of immediate account takeover but does not eliminate the security risk created by the stolen information.
Personal data of this kind can be especially valuable for targeted phishing campaigns. Criminals who know a victim’s name, telephone number, email address and connection to LastPass can create messages that appear credible and highly personalized. They may impersonate customer support, claim that an account requires urgent verification or warn that a password vault has been compromised. The objective would be to persuade the recipient to reveal credentials, download malicious software or enter information on a fraudulent page.
The exposure of physical addresses and sales-related data could make those attacks even more convincing. A message containing accurate personal details may appear to originate from a legitimate company because the recipient assumes that only an authorized service would possess such information. Attackers can also combine the records with data from previous breaches to construct broader profiles of potential victims. This process can support identity theft, financial fraud and social engineering against relatives, employers or professional contacts.
Klue publicly acknowledged the incident on June 22 and said it had launched an investigation after identifying the unauthorized activity. The provider did not initially disclose the total number of affected companies or customers. It also did not provide complete public details about the credentials stolen during the intrusion. The absence of a final count means the full scale of the supply-chain compromise may remain uncertain while forensic work continues.
LastPass responded by disabling employee access to the Klue platform and rotating the API and OAuth tokens associated with the affected integrations. Token rotation invalidates compromised credentials and replaces them with new ones, preventing attackers from continuing to use the stolen access. The company also notified the relevant authorities and began reviewing the scope of the information removed from Salesforce. These measures are intended to contain the immediate threat while investigators determine how the attackers entered Klue’s environment.
The incident did not originate from a vulnerability inside the LastPass password manager, but its impact still reaches the company’s customers. Organizations increasingly depend on networks of cloud platforms, analytics tools, marketing systems and external vendors that exchange information through automated connections. Each integration creates efficiency, yet it also expands the number of systems that must remain secure. An attacker may therefore avoid the most heavily protected target and compromise a smaller provider with trusted access instead.
Supply-chain attacks have become particularly difficult to prevent because companies often cannot directly supervise the internal security practices of every partner. A business may maintain strong controls over its own servers while remaining exposed through a vendor that stores tokens, processes customer records or operates a connected application. Traditional security assessments can also become outdated as providers change personnel, software and access permissions. Continuous monitoring is consequently more important than a one-time review completed when a contract begins.
The LastPass brand makes the episode especially sensitive because customers use the service to protect access to their digital accounts. Even when encrypted vaults remain secure, any security incident involving a password manager can weaken confidence in the broader system. LastPass has faced intense scrutiny since its major 2022 breach, when attackers obtained customer information and copies of encrypted password vaults. The latest case is technically different, but it revives concerns about the company’s wider ecosystem and the protection of data located outside its central product.
Users do not currently need to assume that their stored passwords were exposed through the Klue incident. They should nevertheless treat unexpected emails, telephone calls and text messages mentioning LastPass with considerable suspicion. Genuine support personnel should not request a master password, authentication code or complete account credentials. Messages demanding immediate action through unfamiliar pages should be ignored rather than followed.
Multifactor authentication remains an important protective measure, although users must also guard against attempts to steal approval codes or manipulate them into authorizing fraudulent access. Account notifications should be reviewed directly from the official application instead of through links received in messages. A strong and unique master password also remains essential for protecting the encrypted vault from separate threats. These precautions reduce the chance that exposed contact information can be converted into access to more valuable accounts.
For companies, the breach reinforces the need to limit third-party permissions to the minimum required for each service. OAuth tokens should expire regularly, access should be monitored for unusual behavior and unused integrations should be removed promptly. Customer relationship platforms should also separate highly sensitive information from data required only for routine sales operations. The principle is simple: a provider cannot expose information it was never permitted to access.
The investigation is continuing, and the final number of affected users has not been publicly established. What is already clear is that the attackers did not need to defeat LastPass’s principal security architecture to reach customer information. They entered through a provider, exploited trusted digital credentials and used an ordinary business integration as the pathway. The breach shows that in modern cybersecurity, protection is determined not only by the strongest system but also by every external service connected to it.
Phoenix24: claridad en la zona gris. / Phoenix24: clarity in the grey zone.