Password manager LastPass says a supply chain attack involving third-party vendor Klue exposed customer contact and support information, though customer vaults and stored credentials were not affected.
Exposed customer data could fuel phishing attacks
Exposed customer data could fuel phishing attacksAn unauthorized actor accessed LastPass’s Salesforce environment using OAuth tokens stolen from third-party vendor Klue. The breach exposed sensitive customer details including names, phone numbers, and support records.
The incident was limited to systems integrated with Klue and didn’t affect LastPass products, infrastructure, or services.
Klue disclosed on June 22 that someone gained access through a compromised legacy credential tied to an integration service. The intrusion led to the theft of OAuth tokens used to connect Klue with third-party platforms, including Salesforce.