LastPass has confirmed that customer information and customer support case data were stolen during the recent compromise of competitive intelligence platform Klue, making the password manager provider the latest organization publicly impacted by the expanding supply chain incident linked to the Icarus extortion group.
According to LastPass, the attackers did not breach the company’s own infrastructure. Instead, they gained access to information stored within Klue after compromising the third-party platform. LastPass stated there is no evidence that customer password vaults, authentication systems, or internal production infrastructure were affected.
The disclosure follows BreachNews’ earlier reporting on the Klue Supply Chain Breach Leads to Salesforce Data Theft Across Multiple Organizations, which detailed how attackers allegedly harvested OAuth credentials from Klue’s integration infrastructure to access customer environments.
Customer support information exposed
According to LastPass, the compromised data may include customer names, email addresses, phone numbers, physical addresses, customer support case records, and sales-related information.
The company emphasized that the incident did not impact customers’ encrypted password vaults, which remain stored separately from the affected third-party environment.
While LastPass has not disclosed how many individuals were affected, customer support cases can sometimes contain sensitive information voluntarily submitted by users while seeking technical assistance, such as account recovery details, billing information, or diagnostic data.
Another confirmed victim of the Klue campaign
The disclosure adds LastPass to a growing list of organizations that have publicly acknowledged impact from the Klue compromise.
As BreachNews previously reported in Icarus Lists Huntress and Additional Organizations in Expanding Klue Breach Extortion Campaign, the Icarus leak site has already listed Huntress alongside several additional organizations while claiming to possess Salesforce data allegedly obtained through the attack.
Other organizations that have publicly acknowledged impacts related to the Klue incident include Huntress, Recorded Future, Tanium, Jamf, and HackerOne, although the scope of data exposure varies between organizations.
Investigators believe attackers gained access to Klue’s backend systems before modifying infrastructure to collect OAuth credentials used by customers to connect services including Salesforce and other third-party platforms. Those credentials were allegedly used to access downstream customer environments and exfiltrate data.
Incident remains under investigation
Klue disclosed that it detected suspicious activity on June 12 and subsequently revoked customer OAuth credentials while disabling multiple integrations during its investigation.
The Icarus extortion group has claimed responsibility for the compromise and continues to pressure affected organizations through leak site postings and extortion demands. Several organizations have since confirmed unauthorized access to data connected to their Klue integrations, while additional alleged victims continue to appear on the group’s leak site.
LastPass said it is continuing to investigate the incident alongside Klue. At the time of publication, the company had not disclosed the total number of affected customers.
