LastPass Discloses Third-Party Supply Chain Attack Exposing Customer Data

Tech News

Password management giant LastPass has disclosed yet another security incident, this time stemming from a supply chain attack that leveraged a compromised third-party integration to gain access to sensitive customer data.

The breach, reported by AppleInsider on June 23, originated through Klue — a competitive intelligence platform used by LastPass as a third-party vendor. According to LastPass’s disclosure, attackers obtained a stolen OAuth token belonging to Klue, which they then used to penetrate LastPass’s Salesforce environment. This gave the intruders access to data housed within the company’s customer support and sales systems.

The exposed information includes customer names, phone numbers, email addresses, physical addresses, support case details, and sales-related customer relationship management (CRM) data. LastPass moved quickly to contain the damage, rotating all affected access tokens, revoking employee access to the Klue integration, and launching a formal investigation. Law enforcement has also been notified.

LastPass was careful to emphasize that its core infrastructure — including its password management products, backend services, encrypted password vaults, and all stored credentials — was not compromised in the incident. The breach was strictly confined to the Klue-integrated systems within Salesforce.

On Klue’s side, the company has revoked the compromised credentials and OAuth tokens, stripped out any unauthorized code found in its systems, and disabled the affected integration entirely.

This incident marks another chapter in a difficult security track record for LastPass. The company was fined £1.2 million in the UK after a previous breach exposed the data of approximately 1.6 million British users, and it has faced sustained scrutiny over the security architecture of its password management platform. The Klue incident, while narrower in scope, reinforces the persistent challenge that supply chain relationships pose to even security-hardened organizations — a single compromised vendor token can open doors that would otherwise remain firmly shut.