LastPass has disclosed that customer contact and CRM data were exposed after attackers abused stolen OAuth tokens in a supply chain attack targeting third party intelligence platform Klue.
Quick Summary – TLDR:
- LastPass confirmed unauthorized access to customer CRM data stored in its Salesforce environment.
- Attackers allegedly stole OAuth tokens from Klue and used them to access customer records.
- Customer vaults, master passwords, products, and infrastructure were not affected.
- The incident has been linked to the Icarus extortion group, which has reportedly targeted multiple Klue customers.
What Happened?
LastPass has confirmed that attackers gained access to customer information after compromising Klue, a market intelligence platform used by the company’s Go To Market teams. The attackers allegedly obtained OAuth tokens managed by Klue and used them to access data stored in Salesforce environments belonging to multiple organizations, including LastPass.
The company says its investigation found no evidence that customer vaults, encrypted data, products, services, or infrastructure were compromised during the incident.
🚨 LastPass hit by Klue supply chain attack
— BreachWatcher (@BreachWatcher) June 23, 2026
Read it here: https://t.co/1FHXt4dpYE
Incidents like this show why continuous credential & breach monitoring matters.
Attackers Used Stolen OAuth Tokens to Access Salesforce Data
According to LastPass, it was notified about the Klue security incident on June 12, 2026. Klue integrates with both Salesforce and Gong, allowing organizations to manage sales intelligence and customer engagement data across platforms.
The company said attackers obtained OAuth tokens that Klue maintained on behalf of customers. By using these credentials, the threat actors were able to authenticate as a legitimate integration and access customer data stored within Salesforce environments.
This type of attack highlights a growing cybersecurity concern where attackers target trusted third party providers to gain access to downstream customers. Instead of attacking an organization directly, threat actors compromise a vendor and abuse existing integrations to bypass traditional security controls.
What Data Was Exposed?
LastPass said the exposed information was limited to business contact and CRM records.
The potentially exposed data includes:
- Customer names
- Email addresses
- Phone numbers
- Physical mailing addresses
- Support case information
- Sales related records
The company emphasized that customer vault contents, encrypted passwords, and master passwords were not exposed.
LastPass also stated that its investigation found no evidence that attackers accessed data from its Gong environment, which can contain customer communications and call records.
Researchers Link Incident to Icarus Extortion Campaign
Security researchers investigating the breach say the campaign appears to have affected multiple organizations that relied on Klue integrations.
Researchers at ReliaQuest reported that attackers used compromised Klue integration accounts to generate OAuth tokens and harvest data through Salesforce APIs. The attackers allegedly used automated tools to enumerate Salesforce objects and perform large numbers of API requests to collect customer information.
The campaign has been claimed by a threat group known as Icarus, which has reportedly published stolen data from several affected organizations on its leak site and sent extortion demands to victims.
Huntress reported that attackers may have initially gained access to Klue’s infrastructure through legacy credentials tied to an older integration project. Once inside, they allegedly deployed code designed to collect OAuth tokens from customer environments.
Several well known organizations, including Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity, and LastPass, have been identified as impacted by the broader Klue incident.
Salesforce and LastPass Respond
Salesforce previously confirmed that it disabled the Klue Battlecards application connection after detecting suspicious activity associated with the integration. The company stated that the issue originated within Klue’s environment and was not the result of a vulnerability in Salesforce itself.
LastPass has since taken several remediation steps, including:
- Disabling employee access to Klue.
- Rotating compromised API and OAuth tokens.
- Conducting an investigation with Klue and Salesforce.
- Notifying law enforcement authorities.
- Sharing threat intelligence through its Threat Intelligence, Mitigation, and Escalation team.
The company says remediation efforts have been completed and that affected systems have been secured.
Customers Urged to Watch for Phishing Attempts
Although highly sensitive password vault data was not exposed, cybersecurity experts warn that stolen contact information can still be valuable to attackers.
Threat actors may use customer names, email addresses, phone numbers, and support related information to craft convincing phishing emails, phone scams, or social engineering attacks.
LastPass is advising customers to remain cautious when receiving unsolicited messages and reiterated that it will never ask users to share their master password.
The company also highlighted suspicious domains and infrastructure associated with the campaign and encouraged customers to trust only communications received through official LastPass support channels.
SQ Magazine Takeaway
I think this incident is another reminder that even when a company secures its own infrastructure, risk can still come through trusted third party integrations. The most important takeaway is that LastPass vaults and master passwords remain secure, but the exposure of customer contact data creates opportunities for phishing and fraud. As organizations continue to connect more cloud services together, attacks targeting OAuth tokens and software integrations are becoming one of the biggest security challenges facing the industry.
