LastPass has disclosed a data breach stemming from a supply chain attack targeting Klue, a third-party market intelligence platform integrated with its Salesforce environment. According to the company, attackers obtained OAuth tokens originally held by Klue for multiple customer integrations and used them to access LastPass support case data stored within Salesforce.
The incident began when the threat actor compromised Klue’s infrastructure using stolen or legacy credentials tied to an integration service. This access allowed the attackers to extract OAuth tokens that enabled connections between Klue and various downstream services, including Salesforce environments used by multiple enterprise customers. The stolen tokens were later abused to pivot into LastPass-related CRM data.
LastPass emphasized that its core password management infrastructure was not affected and that customer vaults remained secure throughout the incident. However, the exposed Salesforce data may have included customer names, phone numbers, email addresses, physical addresses, and support case details. While no evidence suggests access to more sensitive systems such as Gong—used for customer communications—LastPass acknowledged the potential risk of targeted phishing and social engineering based on the leaked information.
The breach is part of a broader campaign attributed to the Icarus extortion group, which has targeted Klue and several of its customers by compromising legacy integration credentials and harvesting OAuth tokens. The attackers reportedly used this access to exfiltrate CRM data across multiple organizations and initiate extortion attempts, impacting a range of companies connected through the compromised platform.
In response, LastPass has revoked affected tokens, disabled Klue integrations, and notified law enforcement. The company also warned customers to be cautious of suspicious communications impersonating support channels, as exposed CRM data could be used to craft highly convincing phishing or impersonation attempts.
The incident highlights the growing risk of OAuth-based supply chain attacks, where third-party integrations become a pathway for attackers to move laterally across SaaS ecosystems and access sensitive business data without directly breaching primary security controls.
