LastPass just admitted attackers raided its Salesforce environment through OAuth tokens stolen from Klue, a third-party market intelligence platform. The good news: customer vaults and master passwords are not affected. The bad news: your name, phone number, email, physical address, and support case history are now in the hands of the Icarus extortion group.
OAuth Tokens Are the New Attack Surface
On June 12, LastPass learned that Klue had been compromised. Icarus used compromised legacy credentials for an integration service to steal OAuth tokens Klue held for multiple customers, including LastPass. Those tokens gave direct access to LastPass’s Salesforce instance. Gong integrations were not accessed, so call recordings and emails stayed safe, but CRM data is a phishing goldmine.
LastPass says its own products, services, and infrastructure were never touched. The breach is entirely a supply chain problem: a third party’s API tokens became the weak link. That’s the same pattern we saw in the SolarWinds and 3CX attacks, just aimed at sales and support data instead of code.
Exposed Data Fuels Targeted Phishing
The exposed fields are exactly what you need to craft convincing social engineering: name, phone, email, physical address, plus support case details. Attackers can pretend to be LastPass support and already know your account history. LastPass warns about emails from baccarat.com.au, robinskitchen.com.au, and house.com.au. If you get one, delete it.
Icarus also hit Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. This wasn’t a narrow strike. Klue acted as a single point of failure for a whole ecosystem of security and business software companies.
What LastPass Did and Didn’t Do
LastPass rotated the exposed tokens, disabled employee access to Klue, and notified law enforcement. They did not force a password reset or require master password changes because the vaults are end-to-end encrypted and were never exposed. That’s the right call, but it won’t stop the phishing wave that’s coming.
For users: treat every unsolicited call or email referencing LastPass as hostile until proven otherwise. Never share your master password. If you get a support email from an unexpected domain, it’s a trap.
This breach is another reminder that OAuth tokens are as valuable as passwords and often less protected. Klue’s legacy integration credentials should never have been enough to steal tokens that could pivot into a billion-dollar password manager’s CRM. Expect more organizations to review their third-party token lifetimes and scope after this.
Source: LastPass confirms data breach in Klue supply chain attack
Domain: bleepingcomputer.com
Comments load interactively on the live page.