LastPass confirms – LastPass says a Klue security breach gave an unauthorized actor access to OAuth tokens Klue held for many customers, including LastPass—allowing the attacker to retrieve sensitive customer data from Klue while assuring that LastPass vaults and infrastructure w
The message landed with a familiar kind of dread for anyone who stores their passwords in a vault: LastPass has confirmed it was caught in a breach chain it didn’t directly start.
On June 12, Klue informed LastPass of the security breach, and LastPass says it immediately launched an investigation. What it found was stark—“an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”
Klue’s platform integrates with both Salesforce and Gong systems. Once the attacker had those OAuth tokens, LastPass says the hackers used the credentials to access LastPass customer data “within [its] Salesforce environment.” LastPass also says the exposed Klue OAuth tokens have since been rotated.
LastPass says the affected data included sensitive customer details such as “names, phone numbers, email addresses, physical addresses, as well as support case data and sales-related data” from Klue.
Still, LastPass drew a bright line around what was and wasn’t taken. It confirmed that “LastPass products, services, and infrastructure were not impacted in any way, and customer vaults remain secure.”
The timeline is especially painful because it doesn’t arrive in a vacuum. The incident comes just four years after LastPass’ previous data breach, when hackers stole customers’ encrypted passwords. That earlier breach led to a payout of $24.5 million to those affected, per PCMag.
The Klue breach also swept in multiple cybersecurity companies. TechCrunch’s list includes Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium—alongside LastPass.
LastPass says customers should respond the same way security teams always urge after data exposure: treat phishing and social engineering attempts as a real risk. The company recommends remaining vigilant for potential phishing attacks or social engineering efforts that could use exposed contact details. It also asks customers to be cautious with unsolicited communications—emails, phone calls, or requests for sensitive information.
To help customers spot suspicious messages, LastPass shared the IP addresses and email sender domains associated with the attack:
IP addresses: 138.226.246[.]94; 94.154.32[.]160; 159.183.215[.]61; 159.183.181[.]239
Email sender domains: baccarat.com[.]au; robinskitchen.com[.]au; house.com[.]au
For anyone with questions, LastPass points customers to support.lastpass.com or securitydisclosure@lastpass.com.
A quiet but important detail sits beneath the reassurance: LastPass vaults are safe. but contact data and business-related records tied to support and sales were still within the reach of the attacker’s OAuth token access. For customers. that combination can be more unsettling than a headline breach would suggest—because it turns personal details into potential bait.
LastPass Klue breach OAuth tokens Salesforce customer data phishing social engineering cybersecurity