LastPass Klue Breach: OAuth Token Theft Hits Salesforce

LastPass Customer Data Stolen in Klue Supply Chain Breach

Do Son June 23, 2026 2 minutes read

At a Glance

Organization	LastPass (via vendor Klue)
Data exposed	CRM contact and support data: names, emails, phone numbers, addresses
Records affected	Not disclosed by LastPass
Cause	Stolen Klue OAuth tokens used to reach Salesforce
Disclosure status	Confirmed by LastPass (advisory, June 2026)
Source	LastPass security advisory

TL;DR

LastPass confirmed customer data theft in the Klue supply chain breach. Attackers stole OAuth tokens from Klue and used them to reach LastPass’s Salesforce data. The company says its vaults and infrastructure stayed safe.

What Was Exposed

The stolen data covers standard business contact and CRM records. It includes customer names, phone numbers, email addresses, and physical addresses. Attackers also took support case data and sales records. LastPass says customer vaults remain secure.

How It Happened

Klue is a market intelligence platform that links to Salesforce and Gong. An extortion group tracked as Icarus breached Klue’s backend. Then it harvested OAuth tokens held for Klue’s customers. With those tokens, the attacker authenticated as a trusted integration. So the LastPass Klue breach slipped past normal login controls. Researchers at ReliaQuest tied the theft to large-scale Salesforce data harvesting.

Who Is Affected

The incident hit many Klue customers, not just LastPass. Named victims include Recorded Future, Tanium, Jamf, and Sprout Social. However, LastPass has not said how many of its customers were affected.

What Affected People Should Do

Stay alert for phishing and social engineering that abuse your contact details. Treat unsolicited emails, calls, and data requests with care. Remember, no one at LastPass will ever ask for your master password.

Company Response

In response, LastPass cut employee access to Klue and rotated the exposed tokens. It also opened a joint investigation with Klue and Salesforce, then notified law enforcement. LastPass says Remediation has been completed. You can read the full account in the LastPass advisory, which also lists indicators of compromise for defenders. The LastPass Klue breach now joins a wider campaign against Salesforce integrations.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Critical Alert 4 Active Exploits Detected Today

Leave a Reply Cancel reply