Password management service LastPass has informed its users of a data breach resulting from a cyberattack on its technology partner, Klue. This incident led to unauthorized access to personal information and customer support records of LastPass clients.
In communications to affected users, LastPass clarified that the breach occurred within Klue’s systems, not its own infrastructure. Despite this, attackers managed to extract substantial data pertaining to LastPass customers.
LastPass is among several cybersecurity firms impacted by the Klue breach, with other affected companies including HackerOne, Recorded Future, and Tanium.
According to a blog post by LastPass, the compromised data encompasses customers’ names, phone numbers, email addresses, physical addresses, as well as details from customer support cases and sales-related information. Importantly, LastPass confirmed that its core infrastructure, including customers’ password vaults, remained secure and unaffected by this breach.
The specific contents of the stolen customer support tickets have not been disclosed. However, such records often contain sensitive information, as users typically reach out for assistance with billing issues or account access problems. Historically, similar breaches have exposed credentials and government-issued identification documents.
As of 2024, LastPass reported having over 33 million users, including approximately 1.6 million paying customers.
This incident adds to LastPass’s history of security challenges. In 2022, the company experienced a significant breach where attackers accessed and stole encrypted customer password vaults. Although these vaults were protected by master passwords known only to the users, weak master passwords allowed attackers to decrypt some vaults, leading to subsequent security incidents, including cryptocurrency thefts.
Klue’s CEO, Jason Smith, stated that the company detected unauthorized access to its systems on June 12. The cybercriminal group known as Icarus has claimed responsibility for the attack and has threatened to release the stolen data publicly if their ransom demands are not met.
In light of this breach, LastPass users are advised to remain vigilant for any suspicious activities related to their accounts. While the company’s password vaults were not compromised in this instance, the exposure of personal and support-related information underscores the importance of robust security practices and the need for companies to ensure the security of their third-party partnerships.
