LastPass suffers a new data leak. Cybercriminals exploited a vulnerability in Klue, a company service provider, to access information about the password manager’s customers. Safes and passwords are safe.
LastPass is once again targeted by hackers. On June 12, 2026, the password manager was informed of a security incident occurring at one of its service providers. It is about Cluea sales intelligence platform used by LastPass’ marketing and sales teams. Perfectly integrated into LastPass’ Salesforce environments, the platform has opened the infrastructure door to cybercriminals. As you will have understood, this is again a supply chain attack. In this type of offensive, the hackers attack one of the weak links in the chain, to succeed, one thing leading to another, to penetrate the system of their final target.
After investigation, LastPass discovered that hackers managed to get their hands on authentication tokens held by Klue on behalf of several of its customers, including itself. With these temporary access keys, the hackers were able to log in to the Salesforce environment from LastPass. In the servers, they quickly unearthed customer data.
Also read: LastPass alert – email scam targets password manager customers
What data was stolen?
Among the exfiltrated data, we find contact information including customer names, telephone numbers, email addresses and postal addresses, as well as data related to customer support records and commercial interactions. On the other hand, the users’ safes, containing all their passwords, were not compromised. LastPass makes it clear that its products, services and infrastructure have not been affected. Passwords remain encrypted and secure, despite intrusion.
The password manager notified affected customers by email. At the same time, a detailed press release was published on the official LastPass website. The company indicates that it has cut off access to all its employees to Klue, and rotates the connection tokens, as soon as the incident has been detected. Next, LastPass launched an in-depth investigation in collaboration with Klue and Salesforce. The company also notified the relevant authorities of the cyberattack.
Targeted phishing
Stolen data is less critical than passwords, but it is not trivial. By exploiting stolen information, cybercriminals can orchestrate targeted phishing campaigns or identity theft attempts. For example, the attacker can pose as LastPass customer service to try to extract the victim’s master password, and thus steal all of their passwords. LastPass reminds that no employee will ever ask you for your master password. If you receive a call, email or message along these lines, it is likely an attempted scam. LastPass recommends that its customers remain vigilant.
As a reminder, the company had already been hit twice by cybercriminals in recent years. In August 2022, hackers compromised the LastPass development environment and stole source code. A few months later, these same attackers used the recovered access to break into a cloud storage service and steal encrypted vault backups.
👉🏻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
Source :
LastPass
