Is Your LastPass Info Being Used Against You? Safety Steps After the Klue Supply-Chain Attack

June 23, 2026
by
Pulkit Gupta
deleteme

If you’ve ever opened a “support case” and typed out details like your name, phone number, or address, this is the kind of breach that can come back around. LastPass says attackers stole OAuth tokens from Klue (a third-party tool used by its go-to-market teams) and used those tokens to access customer data inside LastPass’s Salesforce environment, including support case information and sales/CRM records . The good news: LastPass says vaults stayed secure and its products, services, and infrastructure weren’t impacted . The bad news: the data that may have been exposed is exactly what scammers need to make a phishing message feel “real.”

What actually happened (in plain English): the Klue OAuth token problem

Here’s the simple version: this wasn’t a “LastPass got hacked” story in the traditional sense. It was a supply-chain attack that started at Klue, a third-party market intelligence platform LastPass says it uses with its go-to-market teams, and that integrates with systems like Salesforce (and also Gong).

The key issue: stolen OAuth tokens

LastPass says an unauthorized actor obtained OAuth tokens that Klue held for many customers, including LastPass.

If “OAuth token” sounds abstract, think of it like this:

  • When you connect a tool like Klue to Salesforce, you don’t hand it your password.
  • Instead, Salesforce gives Klue an OAuth token — a pre-approved pass that tells Salesforce, “This app is allowed to access these specific things.”
  • If an attacker steals that token, they can sometimes use it like a working key to get into the connected system as the app, without needing your username, password, or MFA prompts.

That’s why token theft is such a big deal. It can bypass the security checks people expect.

What LastPass says the attacker did with those tokens

According to LastPass, the attacker used those stolen OAuth tokens to access LastPass customer data inside LastPass’s Salesforce environment.

So the breach wasn’t about cracking your vault encryption. It was about getting into the place where a lot of “human” business data lives: support cases and CRM records.

What wasn’t touched (based on what’s been shared)

LastPass says:

  • Customer vaults remained secure
  • Products, services, and infrastructure were not affected
  • Their investigation “did not reveal any evidence” the attacker accessed Gong-related data (often customer calls/emails)

That distinction matters, because it changes what you should worry about right now. If vaults weren’t accessed, the immediate risk isn’t someone logging into your password manager and dumping passwords. The immediate risk is targeted phishing using realistic details pulled from Salesforce support/CRM.

And that’s exactly why this type of incident can feel personal fast: it’s not your “secrets” being stolen — it’s your context.

What data may have been exposed — and why it changes your risk this week

Once someone gets into a CRM like Salesforce, they don’t need passwords to cause damage. They need details. The kind you’d casually type into a support case because you’re trying to get help and move on with your day.

LastPass says the data that may have been exposed includes: customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM-related data .

Here’s what criminals can do with each data type (the real-world angle)

  • Name + email address
  • Creates “legit-looking” emails that feel personal, not spammy.
  • Makes it easy to target your work inbox if your email is tied to a company domain.
  • Phone number
  • Opens the door to vishing (voice phishing): calls that claim to be “LastPass support” or “your IT team.”
  • Makes SMS-based scams (“we need you to verify this login”) much more believable.
  • Physical address
  • Used as a trust hook: “We’re confirming the billing address on file…”
  • Can be combined with other data to pass weak identity checks at unrelated services.
  • Support case information
  • This is the scary one, because it adds context.
  • Attackers can reference things like a prior issue, a timeline, or a “case update,” which lowers your guard fast.
  • Sales/CRM-related data
  • Helps attackers map who you are in an org: job role, company name, maybe internal notes or contact history.
  • Perfect fuel for business email compromise-style pressure (“Your admin requested this,” “procurement needs it today,” etc.).

LastPass also warned that this type of exposed data can be used for phishing and social engineering attacks . Translation: expect messages that don’t look like obvious scams. They’ll look like follow-ups.

Why your risk spikes this week

A generic phishing email is easy to ignore. A targeted one is harder because it answers the questions you usually use to judge legitimacy:

  • “How would they know my name?”
  • “How would they know I contacted support?”
  • “Why would they have my phone number and address?”

That’s how small details turn into big problems.

If you want one rule to hold onto: treat anything that references support cases, account changes, renewals, or “verification” as suspicious until you’ve verified it through official channels—no matter how accurate it sounds.

Your safety checklist: how to handle messages, calls, and “support” requests right now

If you take one thing from this: assume attackers will try to “finish the job” with phishing. The data they can pull from Salesforce-style records is best used in a conversation, not in a database.

Non-negotiable rules (save you time and pain)

  1. Trust only official LastPass support channels. LastPass explicitly warned that only communications from official support channels should be trusted.
  2. Treat unsolicited outreach as hostile by default. If someone contacts you first (email, phone, SMS, LinkedIn) claiming to be “support,” you’re the verification step.
  3. Never share your master password. LastPass’s guidance is clear: your master password should not be shared with anyone.
  4. Don’t “continue the thread.” Attackers love replying inside an existing-looking email chain. Start a fresh support request from the official site/app instead.

Fast checks for phishing (email + SMS)

Use this quick triage before you click anything:

  • Check the sender domain and the Reply-To
  • Phish often uses a legit-looking display name with a weird domain behind it.
  • Reply-To is where they funnel your response even if the “From” looks clean.
  • Watch for urgency bait
  • “Vault will be disabled in 30 minutes”
  • “Suspicious sign-in—verify now”
  • “Support case will be closed unless…”
  • Look for “verification” requests
  • Any ask for passwords, MFA codes, recovery codes, or screenshots is a hard stop.

A specific warning LastPass called out: sender-domain tricks

LastPass warned about threat actors using sender domains like baccarat.com.au, robinskitchen.com.au, and house.com.au.

That’s not random. It’s a common move: send from a real-but-unrelated domain and rely on people only scanning the display name (“LastPass Support”) and the subject line.

If you already replied, clicked, or shared something

Don’t spiral. Just act fast:

  • Stop the conversation (no arguing, no “remove me,” no extra info).
  • Change the password on the account you discussed (and any account that reused it).
  • Check your email account security (inbox rules/forwarding are a favorite).
  • Run an antivirus/OS scan if you opened an attachment or installed anything.
  • Report it to your IT/security team if it’s a work account.

If you want a practical habit change after incidents like this, it’s simple: move “support verification” out of your inbox. For example, tools like Cloaked help by giving you separate emails and phone numbers for different services, so a breach-linked message can’t easily be tied back to your main identity—and you can shut off an exposed alias without disrupting everything else.

For teams: containment moves that actually reduce damage (and what LastPass already did)

If you’re on a security or IT team, treat an OAuth token theft like a credential breach with a long tail. The break-in might be over, but the social-engineering wave usually comes next.

What LastPass already did (steps worth mirroring)

Based on reporting around LastPass’s response, the moves were the right ones and they’re instructive:

  • Disabled employee access to Klue
  • Rotated exposed API/OAuth tokens
  • Notified law enforcement while the investigation continued

Those three actions map to a simple containment formula: cut off the third party → invalidate stolen tokens → get external support and preserve evidence.

Your “do this now” playbook after an OAuth token breach

  1. Kill the paths attackers use again
  • Disable or pause the third-party integration (even if the vendor says it’s “fixed”).
  • Revoke tokens and sessions, then re-authorize cleanly with least privilege.
  1. Audit Salesforce connected apps like you mean it

OAuth token incidents are a reminder that Connected Apps = identity perimeter.

Focus your audit on:

  • Apps with broad scopes (“full” access, read/write everywhere)
  • Apps tied to shared service accounts
  • Apps that haven’t been used in months (dead integrations still hold power)
  1. Tighten support-case data hygiene (this is where damage is reduced)

Support case notes often become an unintentional identity record. Clean it up.

A practical “don’t forget” list:

  • Redact or stop collecting phone numbers, addresses, and screenshots unless absolutely needed
  • Train support to avoid pasting internal identifiers into replies (order IDs, contract refs, full device details)
  • Set retention rules so old case data doesn’t sit around forever
  1. Prep the humans: support, sales, and IT are the next targets

In this incident family, attackers didn’t just steal data. Reporting says they exfiltrated CRM data and ran an extortion campaign, and the activity has been linked to the Icarus extortion group in the broader Klue supply-chain attack coverage .

That matters because frontline teams will get hit with:

  • “I’m following up on my open ticket…”
  • “Your rep told me to contact you…”
  • “We need to confirm billing before renewal…”

Give them scripts and hard rules:

  • No identity verification over inbound email
  • Callbacks only to numbers from your own CRM (not what the caller provides)
  • No credential resets based on “case familiarity”

A quiet but high-impact control: isolate your contact points

One way teams reduce blast radius is separating identities used for customer-facing systems from employee personal identifiers. Tools like Cloaked can help by issuing separate emails and phone numbers for different vendors and workflows, so if one channel gets poisoned, you can shut it off without taking down your main inbox or phone line.

View all

2026 Data Breach Tracker: Latest Incidents and Recovery Steps

Data Breaches
by
Arjun Bhatnagar

Was Your Medtronic Data Exposed in This Data Breach—and What Should You Do Next?

Data Breaches
by
Abhijay Bhatnagar

Could Your Employee Data Be in the Kubota Data Breach—and What Should You Do Next?

Data Breaches
by
Arjun Bhatnagar