LastPass customer names, emails, and support records stolen in third-party breach, vaults unaffected

FACEPALM: If there's one password manager that consistently proves these services aren't infallible, it's LastPass. The company has confirmed that some personal information and customer support case records were stolen after hackers breached Klue, a third-party platform used by its go-to-market teams.

The good news for anyone still using LastPass after its previous security disasters is that this was not a compromise of the company's password manager infrastructure. LastPass says customer vaults remain secure, and its products and services were not affected.

The more worrying news is that attackers accessed customer data inside its Salesforce environment after stealing OAuth tokens from Klue, a third-party market intelligence platform. LastPass said it learned of the Klue incident on June 12. Klue integrates with Salesforce and Gong systems, though LastPass says it has found no evidence that Gong-related data was accessed.

The stolen information included standard business contact and CRM data, such as names, phone numbers, email addresses, physical addresses, customer support case data, and sales-related information.

Customer support tickets can contain private or sensitive fragments, especially when users are dealing with billing problems or account-access issues. Even if passwords and vaults were not involved, the information could help make phishing and social engineering attempts look more convincing.