LastPass Hit Again: What the Klue Supply Chain Breach Reveals About Third-Party Risk
LastPass has once again found itself responding to a security incident.
This time, the breach did not originate within LastPass infrastructure. Instead, it stemmed from a compromise involving Klue, a third-party market intelligence platform used by multiple organizations. Attackers gained access to OAuth tokens held by Klue and leveraged those credentials to access customer data stored within connected Salesforce environments, including data belonging to LastPass customers.
While LastPass confirmed that password vaults, stored credentials, and core products were not impacted, customer support case information and personal contact details were exposed. The incident serves as another reminder that organizations are no longer defending only their own infrastructure. They are defending an ecosystem of vendors, integrations, SaaS platforms, and connected services that collectively form the modern attack surface.
How the Attack Actually Worked
Klue integrates with enterprise sales tools like Salesforce and Gong to help companies track competitors and manage sales intelligence. To do that, Klue holds OAuth tokens on behalf of its customers, tokens that grant trusted, password-free access to connected platforms.
A threat group calling itself Icarus gained access to Klue’s backend systems through a set of legacy credentials tied to an old, discontinued integration project. Once inside, they deployed code designed to harvest OAuth tokens across Klue’s entire customer base. Those tokens were then used to query Salesforce environments directly, no brute force, no phishing, no password theft. Just legitimate API calls made with stolen keys.
The data pulled from LastPass’s Salesforce environment included customer names, email addresses, phone numbers, physical addresses, customer support case contents, and sales and CRM-related records.
LastPass has been clear that its own products, infrastructure, and critically, customer password vaults were not accessed. The breach was contained to systems integrated with Klue. But that’s a narrow technical distinction that may offer little comfort to customers whose support case details, often containing sensitive context about account issues or billing concerns, are now in the hands of an extortion group actively threatening to publish the data.
The Problem With OAuth Token Aggregation
This attack exposed a structural weakness that many security teams underestimate: the risk that builds up when a single vendor holds OAuth tokens for dozens of enterprise customers simultaneously.
OAuth tokens are designed to be safe. They provide scoped, revocable access without exposing actual passwords. In isolation, granting Klue a connection to your Salesforce environment seems reasonable. The risk becomes critical when the vendor holding those tokens across an entire client base gets compromised. At that point, the attacker doesn’t need to breach each company individually. One successful intrusion into Klue’s infrastructure becomes simultaneous access to all of them.
This is exactly what happened. Alongside LastPass, confirmed victims include Recorded Future, Tanium, Jamf, HackerOne, Sprout Social, Gong, Huntress, and Insurity. The Icarus group used automated tools to enumerate Salesforce objects and extract CRM data from multiple environments in a single, coordinated campaign.
The takeaway isn’t that OAuth is broken. It’s that every third-party integration represents a trust relationship that needs to be actively governed, not just approved and left unreviewed.
This Is LastPass's Second Major Incident in Four Years
It’s impossible to cover this breach without acknowledging the history. In 2022, attackers breached LastPass directly and stole its entire store of encrypted customer password vaults. Security researchers later confirmed that vaults protected by weak master passwords were cracked offline, with stolen credentials linked to cryptocurrency thefts exceeding $150 million.
That incident fundamentally eroded trust in the company and prompted a wave of customers to move to competitors. LastPass spent years rebuilding.
Now a second breach has landed. Different in nature, but equally damaging to that recovery. The 2026 incident did not touch vaults, the technical safeguards held. But customer support data carries its own sensitivity. People contact support when they’re locked out of accounts, disputing charges, or flagging suspicious activity. That information, in the wrong hands, becomes raw material for highly targeted phishing and social engineering attacks.
Icarus has already threatened to release the stolen data if ransom demands aren’t met, and data from multiple Klue customers has begun appearing on the group’s dark web leak site.
What Security Teams Should Do Right Now
The Klue breach is a clear demonstration of how supply chain attacks bypass even well-defended perimeters. LastPass’s own systems weren’t touched. Their encryption held. Their internal controls worked. And customers still had their data stolen through a vendor they trusted.
For security and IT teams, this raises several urgent questions about how third-party access is managed.
Audit every active OAuth connection. Most organisations have dozens of third-party integrations touching their CRM, identity platforms, and collaboration tools. Many of these connections are granted, approved, and then never reviewed again. A full audit should surface integrations that have outlived their purpose, accounts with excessive permissions, and vendors that hold tokens on behalf of customers in ways that aggregate risk. HawkEye’s Supply Chain Risk Monitoring capability part of its Managed CSOC and XDR service — is specifically built to track and flag this kind of third-party exposure before it becomes a breach.
Rotate and revoke tokens aggressively. OAuth tokens should be treated with the same discipline as passwords. When a vendor relationship ends, when a vendor reports unusual activity, or when a vendor is confirmed compromised, tokens must be rotated immediately. LastPass revoked Klue’s access and rotated exposed tokens as part of its incident response — but that action came after the data was already gone.
Apply least privilege to every integration. Klue’s integration had access to a Salesforce environment containing customer support data and full CRM records. That scope may have been broader than the integration strictly required. Scoping third-party access tightly limits the blast radius when a vendor is compromised.
Monitor for anomalous API behaviour. The Icarus group used automated tools to run large volumes of API requests and enumerate Salesforce objects across victim environments. That kind of activity produces a detectable pattern, unusual query volumes, off-hours access from integration accounts, enumeration of object types not normally queried. HawkEye fuses threat intelligence with real-time behavioural monitoring, giving security teams the visibility to catch this kind of lateral movement through vendor channels before data leaves the environment.
The Attacker Didn't Need to Hack LastPass
That’s the most significant detail about this breach. Icarus didn’t crack encryption. They didn’t social engineer a LastPass employee. They didn’t exploit a vulnerability inside LastPass’s platform. They compromised a vendor that LastPass trusted, stole the credentials that trust relationship depended on, and used them exactly as they were designed to be used.
Supply chain attacks work because they target the connections between organisations rather than the organisations themselves. A company can have strong internal security posture and still be exposed through a vendor, a contractor, or an integration that was approved years ago and hasn’t been reviewed since.
The Klue breach is a reminder that your security perimeter now extends to every third party with a live connection to your systems. The question is no longer just whether your own defences are solid. It’s whether the vendor holding an access key to your environment has secured theirs.