LastPass hit by new data breach - 4 steps you should take now

Follow ZDNET: Add us as a preferred source on Google.

Do you use LastPass as your password manager? If so, I got some bad news. Yes, another data breach, though this one occurred at one of the company's third-party suppliers.

In a Tuesday blog post, LastPass revealed that a breach at a third-party supplier named Klue compromised certain contact and CRM (customer relationship management) data. The stolen information includes customer names, phone numbers, email addresses, and physical addresses, as well as support case and sales-related details. The only saving grace so far is that no master passwords or password vaults were compromised in the breach.

Also: Can you trust LastPass in 2026? Inside the multimillion-dollar quest to rebuild its security culture

As the blog post explains, Klue is a third-party market research platform used by LastPass to integrate with its Salesforce and Gong systems, allowing it to work with customer data and conduct market research. The hackers were able to snag the OAuth security tokens used by Klue to connect to customer data across these different systems. They then exploited these tokens to steal the LastPass user data stored in Salesforce.