Skip to main content
LiMP VPN
All news

Klue Breach Exposed LastPass Customer Data, 2026

Klue Breach Exposed LastPass Customer Data, 2026

In short: In June 2026 the extortion group Icarus broke into Klue, a market-intelligence SaaS platform, using a credential created back in 2022 for an integration prototype that was never shipped and never revoked. From there the attackers stole OAuth tokens linking Klue to its customers' Salesforce CRM systems and pulled contact and support data from at least 12 companies, including password manager LastPass. Vaults and master passwords were not touched — but names, emails, phone numbers and support histories were, and that is exactly what fuels targeted phishing.

What happened

On 12 June 2026, attackers breached Klue — a competitive-intelligence platform many technology firms plug into their sales stack. They did not crack any encryption. Instead they reused an old access credential issued in 2022 for a third-party integration prototype that was abandoned but never cleaned up. That single forgotten key let them into Klue's infrastructure, where OAuth tokens for customers' Salesforce environments were stored.

On 23 June 2026 LastPass confirmed that its Salesforce CRM data had been accessed through this chain, and the Icarus group began leaking material on its extortion site. If you want to know whether your own details have surfaced anywhere, our guide on how to check if your personal data has leaked walks through the steps.

How a forgotten token opened the door

This was a textbook supply-chain attack. When you connect a SaaS app such as Klue to Salesforce, you grant it an OAuth token — a long-lived key that lets the app read your CRM without asking for your password each time. Those tokens are convenient, but they are also bearer credentials: whoever holds one can act as the connected app.

Because a 2022 prototype credential was never revoked, the attackers used it to reach Klue's token store and then impersonated Klue against each customer's Salesforce. Salesforce and the analytics vendor Gong responded by disabling the Klue integration outright. The lesson is uncomfortable: your own security can be flawless, yet a partner's stale key still exposes your data.

Who was affected and what leaked

At least 12 organisations have confirmed impact, among them LastPass, HackerOne, Recorded Future, Tanium, Huntress, ReliaQuest, Jamf, Snyk, BeyondTrust, Sprout Social, Gong and OneTrust. The exposed records include customer names, email addresses, phone numbers, physical addresses and the contents of support cases and sales notes.

Crucially for LastPass users, the company stresses that encrypted password vaults, master passwords and core infrastructure were not compromised — the breach hit CRM contact data, not the secrets themselves. That is a meaningful difference from a full credential dump like the one in our report on the billion-record infostealer leak, but leaked contact and support data is still valuable to criminals.

What it means for you and your data

Even when passwords stay safe, leaked names, emails and support histories are premium raw material for phishing. An attacker who knows you are a LastPass customer, has your email and can quote a recent support ticket can craft a message that looks genuinely internal — and that is how account takeovers start. Treat any unexpected "security" email, especially one referencing a real ticket, with suspicion.

The wider takeaway is about your data footprint. Every SaaS tool and third-party integration that holds your details widens the surface an attacker can reach through someone else's mistake. The fewer places your data sits, and the fewer stale integrations linger, the smaller the blast radius when a partner is breached.

How to protect yourself

Expect targeted phishing and slow down. After a CRM breach, watch for emails that use your real name and support history. Never click login links in unsolicited mail — open the service yourself and check. Our guide on protecting accounts from hijacking covers the warning signs.

Turn on strong two-factor authentication. Phishing-resistant methods such as passkeys or an authenticator app stop a stolen password from becoming a stolen account.

Review and revoke third-party app access. In your Google, Microsoft and other accounts, remove OAuth connections and integrations you no longer use — the same stale-token risk applies to individuals, not just companies.

Encrypt your connection on untrusted networks. A VPN cannot undo a partner's breach, but on public or shared Wi-Fi it routes your traffic through an encrypted tunnel, so attackers on the same network cannot intercept your sessions or read your data. LiMP VPN is a no-logs service for iOS and Android — see the features and plans, and more privacy news on our blog.

Sources

This report is based on reporting by BleepingComputer and The Hacker News, and Russian-language coverage by SecurityLab.

Klue Breach Exposed LastPass Customer Data, 2026 | LiMP VPN