LastPass has reported a security incident involving its third-party vendor, Klue, which led to unauthorized access to customer data within LastPass’s Salesforce environment. The company emphasized that its core infrastructure and password vaults remain secure, but the event underscores the vulnerabilities associated with SaaS integrations and OAuth token misuse.
The breach was detected on June 12, when LastPass was alerted to suspicious activity affecting Klue, a market intelligence platform utilized by its go-to-market teams. Klue integrates with enterprise tools like Salesforce and Gong, facilitating data synchronization across systems.
Details of the Data Exposure
According to LastPass, the attacker obtained OAuth tokens stored by Klue for multiple clients, including LastPass. These tokens were then used to access CRM data within LastPass’s Salesforce instance, effectively bypassing traditional login controls by exploiting the trusted API-based authentication between services. This incident highlights the increasing exploitation of token-based trust relationships in supply chain attacks.
LastPass clarified that the exposure was confined to systems connected to Klue. The company’s core products, internal infrastructure, and customer password vaults were not affected. Additionally, there is no evidence that data from Gong systems was accessed during the intrusion. The compromised data includes standard business contact and CRM-related information, such as customer names, email addresses, phone numbers, physical addresses, support case details, and sales-related records. While no sensitive authentication data was exposed, the information could potentially be used in targeted phishing or social engineering campaigns.
Response and Mitigation Efforts
Upon discovering the breach, LastPass initiated an immediate incident response process. The company revoked all employee access to Klue, rotated exposed API and OAuth tokens, and launched a joint investigation with Klue and Salesforce. Law enforcement agencies have also been notified. LastPass’s Threat Intelligence, Mitigation, and Escalation (TIME) team is actively collaborating with the broader security community to share threat intelligence and disrupt the campaign.
To prevent similar incidents, LastPass is implementing additional safeguards, focusing on third-party integrations and token security controls. This includes strengthening monitoring mechanisms and reviewing access dependencies across connected platforms.
LastPass has advised customers to remain cautious of unsolicited communications, as attackers may attempt to exploit exposed contact data. The company reiterated that it will never request master passwords and urged users to verify all communications through official support channels.
As part of the investigation, several indicators of compromise have been identified. Suspicious IP addresses linked to the activity include 138.226.246[.]94, 94.154.32[.]160, 159.183.215[.]61, and 159.183.181[.]239. Malicious email sender domains observed in related activity include baccarat.com[.]au, robinskitchen.com[.]au, and house.com[.]au. Security teams are advised to monitor for these indicators within their environments.
This incident serves as a stark reminder of the inherent risks in third-party integrations and the importance of robust security measures. Organizations must continuously assess and fortify their supply chain security to mitigate potential threats arising from interconnected systems.
