LastPass has confirmed that hackers accessed customer data from its Salesforce environment after stealing OAuth tokens in the Klue supply chain attack earlier this month.
The password management company says its products, services, and infrastructure were not affected. Customer vaults remain secure. The breach was limited to LastPass Salesforce and Gong systems that Klue, a third-party market intelligence platform, had access to.
On June 12th, LastPass was notified of an incident at Klue. An unauthorized actor obtained OAuth tokens Klue held for many of its customers, including LastPass, then used those credentials to access customer data within the Salesforce environment. No evidence suggests the attacker accessed Gong-related data.
Exposed data may include customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM-related data. LastPass says attackers could leverage this information in phishing and social engineering attacks. Users should be cautious of unsolicited communications requesting sensitive details.
The Klue supply chain attack was claimed by the Icarus extortion group, who compromised Klues infrastructure using compromised legacy credentials for an integration service. The incident impacted multiple organizations including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.
LastPass has disabled employee access to Klue, rotated the exposed API/OAuth tokens, and notified law enforcement. The company warned that threat actors are using sender domains like baccarat.com.au, robinskitchen.com.au, and house.com.au for phishing. Only trust communications from official LastPass support channels.
