Illustration representing the LastPass security incident where customer support data was compromised. (Illustrative AI-generated image).
- What happened: the latest LastPass breach
- What data was stolen and what wasn't
- How this compares to previous LastPass breaches
- Why it matters for LastPass users
- Context: the state of password manager security
What happened: the latest LastPass breach
LastPass, the popular password manager, announced that hackers stole customer support case data during a breach of its technology partner Klue. This marks the second major data breach for the company in recent years, raising fresh concerns about how it protects user information.
The news broke on June 23, 2026, in a report from TechCrunch. LastPass said the breach happened when attackers broke into systems belonging to Klue, a company that LastPass used as a tech partner. Klue provides software that helps companies manage customer support cases. The attackers got access to some of LastPass’s customer support data through that partnership.
Klue is not a household name like LastPass, but it plays an important role in how LastPass handles customer service requests. When LastPass users contact support with questions or problems, their case details get stored in Klue’s systems. That is where the breach took place.
LastPass has not said exactly how Klue got hacked. The company is still investigating the incident. But early reports suggest the attackers found a way into Klue’s network and then accessed data tied to LastPass.
This breach is separate from earlier incidents that hit LastPass in 2022 and 2023. Those breaches were much bigger and more damaging. But this new breach shows that security problems at LastPass have not gone away.
The company has not released a specific number of affected customers. It is not yet clear how many people’s support case data was stolen. LastPass said it is working with Klue and outside security experts to understand the full scope of the breach.
LastPass users who have contacted customer support in recent months may be at higher risk. But anyone who has ever opened a support ticket with the company could potentially be affected.
The breach comes at a tough time for LastPass. The company has been trying to rebuild trust after the earlier breaches. Many users left the service after those incidents. This new breach could push more people to switch to other password managers.
What data was stolen and what wasn’t
LastPass said the stolen data comes from customer support cases. That means it includes information that users provided when they contacted LastPass for help.
Customer support case data typically includes details like names, email addresses, phone numbers, and descriptions of the problem the user was having. It might also include account information such as the date a LastPass account was created or the type of subscription a user has.
In some cases, support conversations might reference which websites or services a user stores passwords for. But LastPass said the stolen data does not include any encrypted password vaults or master passwords.
That is a key point. Your master password is the single password you use to unlock your LastPass vault. That vault contains all your other passwords, encrypted. If hackers got those, they could try to crack the encryption and steal all your online login details.
LastPass has been clear that master passwords and vaults were not taken in this breach. The company said the attack only affected customer support systems, not the core password storage systems.
Still, the stolen data could be used in harmful ways. Hackers might use names and email addresses to send convincing phishing emails. They might pretend to be LastPass support staff and ask for more personal information. They could also try to use details from support cases to guess security answers or trick users into revealing their master passwords.
LastPass said no payment information or credit card numbers were taken. The company does not store full payment details in its support systems. That reduces the financial risk for users.
But the breach still exposes personal information that many people would prefer to keep private. Support cases sometimes contain sensitive details about a user’s online habits or security concerns. Hackers could use that information for targeted attacks.
How this compares to previous LastPass breaches
LastPass has had a troubled security history. The company suffered two major breaches in 2022 and 2023 that were far worse than this latest incident.
In 2022, LastPass disclosed that hackers broke into its systems and stole encrypted password vaults. That breach was massive. It exposed the encrypted data of millions of users. The attackers also stole source code and proprietary technical information from the company.
In 2023, more details emerged. The 2022 breach turned out to be part of a larger attack. Hackers used information from the first breach to access a LastPass employee’s home computer and then steal vault data. The full extent of that breach took months to uncover.
Those earlier incidents led to lawsuits from angry customers. People accused LastPass of not doing enough to protect their data. Some users left the service entirely. The company’s reputation took a serious hit.
The current breach is different in several ways. First, it did not hit LastPass directly. It hit Klue, a partner company. That means the attack surface was smaller. Hackers did not need to break into LastPass’s own systems. They found a weaker link in the chain: Klue.
Second, the type of data stolen is less sensitive. Customer support case data does not include the encrypted password vaults that were stolen in 2022. That is a significant difference. The 2022 breach put user passwords at risk of being cracked over time. This breach puts personal information at risk, but not the passwords themselves.
Third, the scope appears smaller. LastPass has not reported that millions of users were affected. The company has not said the number is small either, but early signs point to a more limited incident.
But the similarity is troubling. Both breaches involved third parties. In 2022, the attacker used a vulnerability in a LastPass employee’s home software. In this case, the attacker used a vulnerability in Klue’s systems. Both times, LastPass’s security was only as strong as its weakest link.
The pattern raises questions about how LastPass vets and monitors its partners. If a hacker can get in through a partner’s system, then LastPass’s own security measures do not matter much.
Why it matters for LastPass users
For current LastPass users, this breach is worrying for several reasons. Even though master passwords and vaults were not stolen, the personal information that was taken can still cause problems.
Phishing attacks are a real concern. Hackers now have names and email addresses of LastPass customers who contacted support. They can use that information to send emails that look like they come from LastPass. Those emails might ask users to click a link or download a file. If users do, they could give away their master password or install malware on their computers.
LastPass users should be extra careful about any emails that claim to be from LastPass. Do not click links in unexpected emails. Go directly to the LastPass website by typing the address into your browser. If something seems off, contact LastPass through its official support channels, not through the email.
Users should also watch for phone calls from people claiming to be LastPass support. Scammers might use information from support cases to sound convincing. They might reference a problem you reported in the past. Remember that legitimate companies rarely call customers out of the blue about security issues.
For users who have not contacted LastPass support, the risk is lower. But it is not zero. If your name and email are associated with a LastPass account in any way, you could still be targeted.
This breach also damages trust. LastPass promised users after the 2022 breach that it was improving security. The company said it was adding more safeguards, hiring better security experts, and changing how it handles data. This new breach suggests those efforts may not be enough.
Some users may decide to leave LastPass entirely. Switching password managers is not easy, but it is possible. Many competitors offer tools to import passwords from LastPass. Popular alternatives include Bitwarden, 1Password, and Apple’s iCloud Keychain. Each has different security models and features.
But users should not panic. The stolen data is not your passwords. It is personal information that scammers could misuse, but you can protect yourself by staying alert and following basic security practices.
LastPass has not announced free credit monitoring or identity theft protection for affected users. The company may offer such services later as the investigation continues.
Context: the state of password manager security
Password managers like LastPass are designed to make life easier for users. Instead of remembering dozens of different passwords, you remember just one master password. The password manager stores all your other passwords securely and fills them in for you automatically.
But password managers also become a single point of failure. If a hacker gets access to your password manager, they get access to all your accounts. That is why security is so critical for these services.
LastPass is not the only password manager to face security issues. In recent months, other companies have also reported breaches. Dashlane, another popular password manager, said hackers stole some customers’ password vaults. That breach was also reported by TechCrunch. It showed that even big-name password managers can have vulnerabilities.
Microsoft faced its own password-related security incident. Hackers used Microsoft’s open source tools to steal passwords from AI developers. That attack targeted a specific group, but it highlighted how passwords remain a weak link in security.
Even the U.S. government’s cybersecurity agency, CISA, got caught mishandling passwords. A TechCrunch report revealed that CISA exposed reams of passwords and cloud keys to the open web. That incident showed that even organizations whose job is to protect data sometimes fail at basic security.
Google also announced it is shutting down its “dark web report” feature in February. That tool helped users find if their passwords had been leaked online. Its removal means users will have fewer ways to check if their data has been exposed.
All these incidents point to a broader problem. Passwords are still the most common way people secure their online accounts, but they are also the most attacked. Hackers are constantly finding new ways to steal them. Companies that store passwords, whether they are password managers or cloud providers, face constant pressure to keep them safe.
The LastPass breach is part of this larger story. It is not an isolated event. It is one more example of how difficult it is to secure sensitive data in a world where hackers never stop trying.
For users, the lesson is to not rely on any single service completely. Use different passwords for different accounts when possible. Enable two-factor authentication on important accounts. Consider using a hardware security key for extra protection. And always be cautious about emails or messages that ask for personal information.
What happens next
LastPass and Klue are both investigating the breach. They are working with outside cybersecurity experts to determine exactly how the attack happened and what data was taken.
LastPass said it is notifying affected customers. The company has not yet said whether it will offer credit monitoring or identity theft protection. It may announce those steps as the investigation progresses.
Klue is also conducting its own investigation. The company has not made a public statement about how the breach happened or what changes it is making to prevent future incidents.
Legal consequences could follow. The 2022-2023 breaches led to several lawsuits against LastPass. Some of those lawsuits are still ongoing. This new breach could lead to more legal action from customers who feel the company did not learn from its mistakes.
Regulatory consequences are also possible. Depending on where affected customers live, data protection laws may require LastPass to report the breach to authorities. In Europe, the GDPR requires companies to report breaches within 72 hours. In the U.S., state laws vary. LastPass may face fines or penalties if it failed to follow proper procedures.
For LastPass users, the immediate steps are clear. Change your master password if you have not done so recently. Enable two-factor authentication if you have not already. Be extra cautious about emails and calls claiming to be from LastPass. And consider whether you want to stay with LastPass or switch to another password manager.
LastPass has a long road ahead to rebuild trust. The company has now suffered multiple breaches, each eroding confidence in its ability to protect user data. This second major breach in a few years suggests that LastPass’s security problems run deeper than a single fix can solve.
The password manager industry as a whole may also face more scrutiny. If companies like LastPass and Dashlane cannot keep user data safe, regulators may step in with stricter rules. Users may also start looking for alternative ways to manage passwords, such as offline or open-source solutions.
But for now, the most important thing is for affected users to protect themselves. Stay alert, stay informed, and do not let your guard down. The hackers who stole this data are counting on you to not notice or not care. Do not give them that chance.
LastPass said it will share more information as the investigation continues. The company urged users to visit its official website for updates rather than rely on unofficial sources. That is good advice, as long as you make sure you are on the real LastPass website and not a fake one.
This story is still developing. More details about the Klue breach and the full impact on LastPass users will likely emerge in the coming days and weeks. For now, the main takeaway is simple: a second LastPass breach has occurred, this time through a partner, and users should take steps to protect themselves.
Frequently Asked Questions
What happened in the latest LastPass data breach?
Hackers stole customer support case data from LastPass by breaching its technology partner, Klue. This incident is separate from previous, larger breaches the company experienced.
When did this latest LastPass breach occur?
The news of the breach broke on June 23, 2026. The actual incident happened when attackers gained access to Klue's systems.
What kind of data was stolen in this breach?
The stolen data includes information from customer support cases, such as names, email addresses, phone numbers, and descriptions of user problems. It may also include account details like subscription type.
Were any password vaults or master passwords stolen?
No, LastPass has stated that encrypted password vaults and master passwords were not taken in this breach. The attack only affected customer support systems.
Who is Klue and how are they involved?
Klue is a technology partner that LastPass used for managing customer support cases. The hackers gained access to LastPass's data by breaking into Klue's systems.
How does this breach compare to previous LastPass incidents?
This breach is different because it involved a partner company, Klue, and the data stolen was less sensitive than the encrypted password vaults taken in earlier breaches.
What are the potential risks for users from this breach?
Hackers could use the stolen support data for phishing attacks or to trick users into revealing more personal information. They might also use case details to guess security answers or master passwords.
