LastPass data breach confirmed: Everything we know so far

A security breach at a third-party vendor has exposed customer data belonging to LastPass, the company confirmed this week, in the latest incident to put the beleaguered password manager back in the spotlight.

LastPass confirmed this week that hackers gained access through a company called Klue, a market intelligence tool that LastPass uses internally to track competitors and manage sales relationships. According to LastPass, an unauthorized actor obtained OAuth tokens that Klue held on behalf of its customers and used them to access LastPass customer data within its Salesforce environment.

The exposed information was limited to names, phone numbers, email addresses, physical addresses, and sales-related records. LastPass was emphatic that its core products and customer vaults, meaning passwords, were not affected.

The breach was not limited to LastPass. As BleepingComputer reported, a newly emerged extortion group calling itself Icarus has publicly claimed responsibility for the attack, describing it as a broad operation targeting multiple Klue customers. According to BleepingComputer's reporting, cybersecurity firms Huntress and ReliaQuest found that attackers exploited a compromised legacy credential to obtain OAuth tokens, then used Python scripts to query Salesforce's API and conduct large-scale data theft across numerous organizations. Confirmed victims include Recorded Future, Tanium, Jamf, Sprout Social, and Gong, among others.

Icarus is reportedly pressuring affected companies to make contact via the Session messaging platform or risk having their stolen data published.

LastPass says it has revoked Klue's access, notified law enforcement, and is cooperating with the broader security community through its internal threat intelligence team.

The company urged customers to remain alert to phishing and social engineering attempts that could exploit the exposed contact data. It reminded users that LastPass will never ask for a master password.