Password manager maker LastPass is notifying customers that hackers stole personal information and customer support case data during a breach at one of its technology partners, Klue, adding another security incident to the company’s recent history of data exposure.
LastPass said customer personal information and support case records were stolen in a hack involving market research firm Klue, not LastPass’ own systems. The Klue breach gave attackers access to LastPass’ Salesforce data, along with data from other companies reportedly being extorted by a group called “Icarus”.
Customer Support Data Was Taken
The exposed data appears to involve support-related records rather than password vault contents.
TechCrunch reported that LastPass said hackers took customer names, phone numbers, email addresses, physical addresses, customer support case data, and sales-related data.
That distinction is important because LastPass stores sensitive credentials for users. LastPass said its own infrastructure was unaffected, including customers’ password vaults. Still, the theft of support case data can create risks because customer service records may contain details about account problems, billing issues, or access recovery.
Klue Breach Hits Multiple Cybersecurity Firms
The incident is part of a broader Klue-related breach affecting several companies. LastPass is among a growing list of cybersecurity companies affected by the Klue breach, including HackerOne, Recorded Future, and Tanium.
The Verge reported that attackers gained access to Salesforce data connected to LastPass and other companies through the Klue breach. The reference to Salesforce data matters because customer relationship management systems often contain contact details, sales notes, support tickets, and records of previous interactions with customers.
Klue’s own role in the incident is still being examined. Klue CEO Jason Smith said in a blog post that the company identified hackers in its systems on June 12. A hacking and extortion group called Icarus took credit for the breach and publicly threatened to release stolen data if a ransom is not paid.
LastPass Faces Renewed Trust Questions
The new disclosure lands at a sensitive time for LastPass because of its past security record. LastPass’ 2022 breach exposed encrypted customer passwords and later spurred some crypto heists. In the 2022 breach, hackers stole LastPass’ entire store of customer password vaults, which contained sensitive credentials such as passwords, tokens, personal information, and credit card numbers.
The current Klue incident is different because LastPass says password vaults were not affected. But for a password manager, even indirect exposure of support data can damage user confidence. Customers trust password managers not only to protect vaults but also to safeguard account-related interactions that could help attackers craft phishing attempts or social engineering messages.
Number of Affected Customers Still Unknown
LastPass has not publicly disclosed how many users were affected. LastPass did not immediately respond to questions about the incident, including how many customers were affected. LastPass had more than 33 million users and around 1.6 million paying customers as of 2024, according to the company’s website.
For affected customers, the immediate concern is not stolen vaults but targeted scams. Attackers with names, phone numbers, email addresses, addresses, and support-case details may be able to impersonate LastPass support or reference real customer issues to make phishing messages more believable.
The Klue breach shows that even when a company’s core systems remain untouched, third-party data exposure can still create security risks for users. For LastPass, the challenge is now to prove that this breach is contained, clearly explain what was taken, and help customers recognize follow-up scams that may use their stolen support information.
