LastPass Klue – LastPass says a breach at Klue exposed customer data after attackers stole access tokens and pulled information from LastPass integrations, prompting the company to warn customers about phishing and social engineering.
A familiar kind of fear is returning to password users: not just another warning banner, but the sense that your personal details can be taken and then used against you in quieter, more targeted ways.
This week, LastPass told customers it had been affected by a data breach that included names, phone numbers, email addresses, physical addresses, support case data, and sales-related data. The company traced the incident to a breach at the AI business intelligence firm Klue.
The chain of events, as LastPass described it, is blunt. Attackers compromised access tokens for Klue customers, including LastPass. With those tokens in hand, they used them to pull data from Salesforce and other integrated platforms. LastPass was clear about what it was—and wasn’t—hit: it said the situation was not a breach of its own infrastructure and did not affect password vaults.
Still, the details are the part that lands hardest. Address, phone number, and email are not the kind of information that simply sits in a dashboard. In the wrong hands. they turn into believable calls. convincing emails. and accounts that suddenly look “known.” LastPass’s advice reflected that reality.
LastPass recommended that customers remain vigilant for phishing or social engineering attempts that could leverage exposed contact details. It urged users to be cautious with unsolicited communications—emails, phone calls, or requests for sensitive information.
The broader security story underneath the LastPass update is straightforward: today’s breaches often move through trusted connections. When access tokens are compromised, data doesn’t need to be cracked from scratch. It can be collected by impersonating the integrations that already have permission.
Even as LastPass insists its vaults were not compromised. the exposed categories—support case data and sales-related data alongside basic contact information—mean the fallout could be felt in everyday inboxes and phone lines. not just in a security report. For customers. the immediate task is the same as it always is after a breach like this: watch closely. treat unexpected messages as suspect. and assume attackers will try to sound like they belong.
LastPass Klue data breach access tokens phishing social engineering Salesforce password vaults
So basically my address can be used to scam me now? Cool cool.
I saw this and thought it was about hackers getting into everyone’s LastPass vaults, but then it says not that. Either way, if someone has my phone and email, that’s still enough to make fake calls, right?
Access tokens?? like those are just passwords for apps? I don’t even get how Klue fits in. I guess they stole the keys, then looked at Salesforce stuff. But if it wasn’t LastPass infrastructure, then why am I getting a warning from LastPass lol
This is why I don’t trust any of these AI companies. First it’s “AI business intelligence” then suddenly everyone’s getting targeted emails. Probably the same people that “broke” other stuff, just using a different excuse. Also why would they say not a breach of the vaults—people don’t need the vault if they can spoof you with your address and support info.