343/69 Thursday, June 25, 2026
LastPass has confirmed a customer data exposure involving its Customer Relationship Management (CRM) system hosted within its Salesforce environment. The incident resulted from a supply chain attack targeting Klue, a third-party competitive intelligence platform. According to the company, the threat actor known as Icarus compromised Klue’s infrastructure and stole OAuth tokens, enabling unauthorized access to connected systems without requiring traditional password-based authentication. The incident highlights the growing cybersecurity risks associated with third-party integrations and interconnected enterprise platforms.
The investigation found that the Icarus group, which has been active since late April 2026, breached Klue’s backend infrastructure to execute malicious code and extract OAuth tokens belonging to Klue customers. The stolen tokens were then used to access LastPass’s Salesforce environment and copy CRM data, including customer names, phone numbers, email addresses, physical addresses, support case information, and sales records. However, LastPass emphasized that its core services, production infrastructure, and customers’ encrypted password vaults (Customer Vaults) were not affected and remain secure. As part of its response, LastPass has rotated the affected OAuth tokens, revoked employee access to Klue, coordinated with law enforcement authorities, and shared Indicators of Compromise (IoCs) with the cybersecurity community to support detection and threat hunting efforts.
Although users’ master passwords and encrypted vault data remain secure, customers should remain vigilant against phishing and social engineering attacks, as threat actors may use the exposed contact information to conduct highly convincing scams. LastPass reiterated that its support team will never ask users for their master password under any circumstances. Organizations that rely on interconnected SaaS applications should also use this incident as an opportunity to strengthen third-party risk management by reviewing application permissions, revoking unused integrations, continuously monitoring API activity for suspicious data access, and implementing a rapid OAuth token rotation process whenever a third-party provider reports a security breach in order to reduce supply chain risk.
Source https://hackread.com/lastpass-customer-data-breach-klue-oauth-token/