LastPass Confirms Customer Data Exposure in Klue Supply Chain Attack

LastPass has confirmed that attackers accessed customer data from its Salesforce environment after stealing OAuth tokens from Klue, a third-party market intelligence platform used by the company’s go-to-market teams.

In its LastPass response, the password manager said its products, services, infrastructure, and customer vaults were not affected. The company also said it found no evidence that Gong-related data was accessed.

The incident is part of a wider Klue supply chain attack that affected multiple organizations connected through Klue integrations. The exposed LastPass data was limited to business contact and CRM-related information, not password vault contents.

What Happened in the Klue Attack

Klue said it identified unauthorized activity affecting part of its integration infrastructure on June 12, 2026. The company said the attacker gained access through a compromised legacy credential tied to an integration service.

That access allowed the attacker to obtain OAuth tokens used to connect Klue with third-party platforms, including Salesforce. With those tokens, the attacker could access data inside connected customer environments.

Salesforce later disabled the Klue Battlecards app connection. In a Salesforce status notice, the company said the issue was limited to Klue’s app connection and did not come from a vulnerability in the Salesforce platform.

Company	What was affected	What was not affected
LastPass	Salesforce CRM data accessed through stolen Klue OAuth tokens	LastPass vaults, products, services, and infrastructure
Klue	Integration infrastructure and OAuth tokens for connected platforms	Klue said it found no evidence that customer content stored inside Klue was affected
Salesforce	Customer CRM data accessed through the Klue app connection	Salesforce said the issue did not arise from a Salesforce platform vulnerability

What LastPass Customer Data May Have Been Exposed

The exposed information came from LastPass’s Salesforce environment. LastPass described it as standard business contact information and customer relationship management data.

This type of data can still help attackers. Names, emails, phone numbers, physical addresses, support case information, and sales records can make phishing emails and phone scams more convincing.

LastPass said customers should remain cautious about unsolicited messages, calls, or requests for sensitive details. The company also reminded users that no LastPass employee will ever ask for a master password.

• Customer names
• Phone numbers
• Email addresses
• Physical addresses
• Support case data
• Sales and CRM-related data

Why OAuth Tokens Made the Attack Possible

OAuth tokens allow applications to connect to cloud services without repeatedly asking for a password. That makes them useful for business integrations, but also dangerous if stolen.

In this case, the attacker did not need to compromise Salesforce directly. The stolen tokens let the attacker act through a trusted integration path.

ReliaQuest said the broader Klue activity involved automated Salesforce REST API queries and bulk CRM extraction. Its analysis described a pattern where a trusted integration became a data access path that security teams may monitor less closely than employee accounts.

Risk area	Why it matters
OAuth token theft	Tokens can provide access without a user password or MFA challenge
Third-party integrations	Connected apps may hold broad access to CRM systems
CRM data	Salesforce records often include business contacts, support details, and deal data
Social engineering	Stolen contact details can make phishing and phone scams more believable

Klue Attack Hit Multiple Organizations

The LastPass disclosure follows a series of notices from other Klue customers. SecurityWeek reported that at least nine organizations had publicly acknowledged impact, including HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Insurity, and Sprout Social.

Huntress was among the first companies to publish a detailed public account. In its Huntress investigation, the company said the copied data from its Salesforce account included business contacts, price quotes, sales-related data, and messaging, but not threat data, passwords, payment card information, or engineering data.

The broader pattern shows how one compromised SaaS integration can ripple across many customers. When a vendor stores tokens that connect to customer platforms, that vendor becomes part of each customer’s attack surface.

Icarus Claimed the Klue Incident

The extortion group Icarus claimed responsibility for the Klue attack and threatened to publish data stolen from Klue customer Salesforce environments.

According to the Huntress write-up, Icarus listed Klue on its leak site and referenced Salesforce data from companies connected to Klue. Huntress also said some employees received extortion emails after the incident.

SecurityWeek’s report said affected companies generally described the incident as limited to Salesforce or CRM data, not their core products or infrastructure.

LastPass Response and Customer Guidance

LastPass said it discontinued employee access to Klue, rotated exposed API access tokens, launched a detailed investigation with Klue and Salesforce, and notified law enforcement.

In the same LastPass notice, the company listed indicators tied to the campaign, including IP addresses and sender domains used in suspicious communications.

Customers should trust only official LastPass support channels and avoid responding to unexpected requests for account details, payment information, security codes, or master passwords.

• Do not share your LastPass master password with anyone.
• Be cautious with unexpected emails and phone calls claiming to reference LastPass support cases.
• Check sender domains carefully before clicking links or replying.
• Contact LastPass through official support channels if a message seems suspicious.
• Watch for targeted phishing that uses real names, phone numbers, addresses, or support details.

Indicators Shared by LastPass

The following indicators were included in LastPass’s public notice. Security teams can use them for investigation and blocking, but they should also monitor for new infrastructure because attackers can change domains and IP addresses quickly.

Type	Indicator
IP address	138.226.246[.]94
IP address	94.154.32[.]160
IP address	159.183.215[.]61
IP address	159.183.181[.]239
Email sender domain	baccarat.com[.]au
Email sender domain	robinskitchen.com[.]au
Email sender domain	house.com[.]au

What Companies Should Learn From the Incident

The Klue incident shows why third-party SaaS integrations need the same level of attention as employee accounts. OAuth tokens, API keys, and integration service accounts can provide direct access to sensitive business systems.

ReliaQuest’s analysis recommends treating third-party app access as part of the attack surface. Companies should inventory integrations, scope permissions to least privilege, monitor token use, and investigate unusual API activity.

Klue’s update said the company revoked affected credentials and tokens, removed unauthorized code, disabled potentially impacted integrations, engaged CrowdStrike, and notified law enforcement.

Organizations using Salesforce and similar CRM platforms should review connected apps, revoke unused integrations, rotate tokens after vendor incidents, and alert on bulk API queries that do not match normal business activity. Salesforce’s Klue integration notice shows how quickly one connected app can affect many customers when trust is abused.

FAQ