Illustration representing the LastPass data breach linked to the Klue supply chain attack. (Illustrative AI-generated image).
- Hackers breached LastPass’s customer CRM and support data by attacking its third-party vendor, Klue.
- The attackers stole OAuth tokens from Klue, which granted them access to LastPass’s Salesforce environment.
- Crucially, no LastPass user vault data, including stored passwords or encrypted secrets, was accessed or compromised in this incident.
- The stolen information includes customer names, email addresses, and support ticket details, which could be used for phishing attacks.
- LastPass has revoked the compromised tokens and is notifying affected customers, while advising users to enable 2FA and be wary of phishing attempts.
- This supply chain attack underscores the significant security risks associated with third-party vendors and the need for robust vendor security management.
What Happened: The LastPass Klue Supply Chain Attack
LastPass has confirmed that hackers stole customer CRM and support data by breaking into a third-party vendor, Klue, and stealing its OAuth tokens. This is what security experts call a LastPass Klue supply chain attack. Instead of breaking into LastPass directly, the attackers went after a partner company that LastPass trusted.
Klue is a company that makes Salesforce integration tools. Many businesses use Klue to connect their customer support and sales data with Salesforce, a popular customer relationship management (CRM) platform. LastPass used Klue to manage parts of its customer support system.
Attackers broke into Klue’s systems and stole digital keys called OAuth tokens. These tokens belonged to LastPass and gave the holder access to LastPass’s Salesforce environment. Once the attackers had these tokens, they could enter LastPass’s Salesforce account as if they were an authorized employee.
The breach was first reported by BleepingComputer, a cybersecurity news site. Multiple other outlets quickly picked up the story. All of them reported the same basic facts: the attack came through Klue, not through a weakness in LastPass’s own systems.
This is not the first time LastPass has been in the news for a security problem. In 2022, the company suffered two major breaches that exposed encrypted vaults of customer passwords. This new incident is different, as it did not touch the vaults at all. However, it still worries security experts because it shows how a trusted vendor can become a gateway for attackers.
Klue has not released a full public statement about how the attackers got in, but the basic timeline is clear. Someone broke into Klue, found OAuth tokens for LastPass, used them to enter LastPass’s Salesforce system, and then stole customer data.
Supply chain attacks like this are becoming more common. Hackers know that big companies like LastPass invest heavily in their own security. By targeting smaller vendors with potentially weaker defenses, attackers can reach the big company’s data without having to break through its own firewalls.
How Attackers Used OAuth Tokens to Access LastPass
OAuth tokens are digital keys that let services communicate with each other. When you log into a website using your Google account, an OAuth token allows Google to verify your identity without sharing your password. Companies use them to connect different software tools.
In this case, LastPass had given Klue an OAuth token. This token allowed Klue to access LastPass’s Salesforce environment to help manage customer support tickets and sales data. The token was stored on Klue’s systems. When attackers broke into Klue, they found and took that token.
With the stolen token, attackers did not need a username or password to access LastPass’s Salesforce. They could use the token directly, like having a key to a locked door. They did not need to pick the lock; they simply used the key to get in.
LastPass announced that it has revoked the compromised OAuth tokens, meaning the digital keys no longer work. Even if the attackers still possess them, they cannot use them to access LastPass’s Salesforce. However, the attackers had already copied customer data before LastPass detected the breach.
Security researchers have warned about the dangers of OAuth tokens for years, noting they are powerful and often poorly protected. If a token has broad permissions, stealing it can grant an attacker access to a large amount of sensitive data.
In this attack, the OAuth token granted access to LastPass’s Salesforce CRM and support environment. This is a significant amount of data, but importantly, the token did not provide access to LastPass’s password vaults. Those vaults are stored separately with their own encryption and access controls, and the attackers never reached them.
Other companies have also been affected through Klue. While the full list of affected Klue customers is not public, the attack appears to have targeted multiple Salesforce integration users. LastPass may have been the most prominent name affected, but likely not the only one.
What Data Was Stolen – and What Remained Safe
LastPass confirmed that the stolen data includes customer CRM and support information. This means names, email addresses, phone numbers, and details about customer support tickets. If you contacted LastPass for help or if your account was managed through their Salesforce system, your information could be among the stolen data.
Typical CRM data includes customer names, company names, email addresses, phone numbers, job titles, and notes from support conversations. It may also include timestamps of customer interactions and reported issues.
Crucially, LastPass stated that no vault data was compromised. This means attackers did not access any stored passwords, credit card numbers, or other sensitive secrets that LastPass users keep in their vaults. Those vaults remain encrypted and were never accessed.
Master passwords were also safe. LastPass’s system does not store master passwords; they are known only to the user. Even if attackers had breached the vault system, they could not have obtained master passwords without decrypting each vault individually.
LastPass is notifying affected customers via email. The company is also working with law enforcement and security experts to investigate the incident further.
For current LastPass users, this breach is less alarming than the 2022 incidents where encrypted vault data was stolen, posing a risk if users had weak master passwords. This time, the stolen data pertains to user identity and interactions with LastPass, not the secrets stored within vaults.
However, any leak of customer data is a concern. Names and email addresses can be used for phishing attacks. Scammers could send convincing emails pretending to be from LastPass, using the stolen information to trick users into clicking malicious links or providing sensitive details.
LastPass’s Response and User Recommendations
LastPass responded promptly upon discovering the breach by revoking the stolen OAuth tokens, immediately cutting off the attackers’ access to the Salesforce environment. They also began notifying customers whose data was affected.
The company is working with Klue to understand how the attackers gained entry and to prevent similar attacks in the future. While no specific changes to vendor security policies have been announced, security experts anticipate such updates.
LastPass users should take several practical steps. First, be vigilant for phishing emails. Scammers might use the stolen data for targeted attacks. Avoid clicking links in unsolicited emails; navigate directly to the LastPass website by typing the address into your browser.
Second, enable two-factor authentication (2FA) on your LastPass account if you haven’t already. This adds an extra security layer, requiring a second code from your phone or an app to log in, even if your master password is compromised.
Third, consider changing your master password if it hasn’t been updated recently. Always use a strong, unique password for your LastPass account, ideally managed by a password manager.
Fourth, review your account activity in LastPass, which shows recent login attempts and device access. Report any suspicious activity to LastPass support immediately.
Finally, remember that this breach does not directly affect the security of your stored passwords. Your vault data remains safe. However, the stolen CRM data could be used in social engineering attacks. Stay alert and trust your instincts; if an email or call seems suspicious, it likely is.
Why This Matters for Third-Party Security
This incident highlights the growing problem of third-party risk in cybersecurity. Companies invest heavily in their own security but rely on vendors for software and services. These vendors may not have the same level of security, potentially storing sensitive information like OAuth tokens insecurely.
Attackers increasingly target these vendors, knowing they might have weaker defenses, to gain access to larger companies. Supply chain attacks via OAuth tokens are becoming more common, with attackers using stolen tokens to access target systems.
For Klue, this incident raises questions about its security practices, including how attackers gained entry and whether OAuth tokens were stored securely. The company’s investigation is ongoing.
For LastPass, this serves as a reminder that security is only as strong as its weakest link. Companies must carefully vet their vendors, limit the permissions granted to third-party tools, and regularly audit those permissions.
Some security experts suggest using short-lived OAuth tokens that expire quickly, limiting the window of opportunity if a token is stolen. Others recommend closely monitoring token usage and revoking any tokens that are not actively needed.
The attack also underscores the importance of having a robust incident response plan. LastPass’s ability to revoke tokens quickly and notify customers demonstrates effective crisis management. However, prevention remains the best strategy, with companies needing to plan for potential vendor breaches.
What Comes Next
Klue is continuing its investigation into the breach and has not yet released a detailed explanation of how attackers gained access. The full scope of the incident remains unclear until this information is available.
LastPass is cooperating with law enforcement and security experts to better understand the attack and has committed to sharing more details as they emerge.
Affected customers should watch for notifications from LastPass. If you do not receive a notification, your data was likely not involved in this specific breach.
This incident may prompt changes in how companies manage third-party integrations, particularly concerning the risks associated with OAuth tokens. Expect increased scrutiny of vendor access and tighter security policies across the industry.
For LastPass, this event follows challenging years, including the 2022 breaches. While this incident does not involve vault data, it raises questions about the company’s overall security posture. Some users might consider switching password managers, while others may remain, confident in the security of their encrypted vaults.
The broader lesson is that no company operates in isolation. Reliance on vendors and partners creates potential entry points for attackers. Managing this risk carefully, limiting access, and having a solid response plan are crucial.
Security is an ongoing process. This breach serves as a reminder that defenses must be continuously improved, vendors audited, and preparations made for future attacks.
For average users, the best defense involves common sense: use strong passwords, enable two-factor authentication, be cautious with email links, and stay informed about the security of the services you use. Knowledge is a key form of protection.
Frequently Asked Questions
What happened in the LastPass Klue supply chain attack?
Hackers gained access to LastPass's customer CRM and support data by compromising a third-party vendor called Klue. They stole OAuth tokens from Klue, which allowed them to access LastPass's Salesforce system.
Was my LastPass vault data stolen?
No, LastPass has confirmed that no vault data was compromised in this incident. Your stored passwords and other sensitive information within your vault remain secure and encrypted.
What kind of data was stolen from LastPass?
The stolen data includes customer CRM and support information, such as names, email addresses, phone numbers, and details about customer support interactions. This data does not include vault passwords.
How did the attackers get into LastPass's systems?
The attackers did not breach LastPass directly. Instead, they targeted Klue, a vendor that LastPass uses for Salesforce integration. By stealing OAuth tokens from Klue, they were able to impersonate authorized users and access LastPass's Salesforce environment.
What are OAuth tokens?
OAuth tokens are like digital keys that allow different applications or services to communicate with each other securely. In this case, a token allowed Klue to access specific parts of LastPass's systems without needing a direct password.
What should LastPass users do after this breach?
Users should enable two-factor authentication (2FA) on their accounts, be vigilant for phishing emails that might use the stolen CRM data, and consider changing their master password. Always go directly to the LastPass website instead of clicking links in emails.
Is this the same as the 2022 LastPass breaches?
No, this incident is different. The 2022 breaches involved the theft of encrypted vault data, which posed a risk to stored passwords. This current breach only involved customer CRM and support data, not the contents of user vaults.
