LastPass has disclosed a supply chain security incident involving its third-party vendor, Klue, that resulted in unauthorized access to customer data within its Salesforce environment.
The company confirmed that the breach did not affect its core infrastructure or password vaults. However, it highlights ongoing risks associated with SaaS integrations and OAuth token exposure.
The incident was identified on June 12, when LastPass was notified of suspicious activity affecting Klue, a market intelligence platform used by its go-to-market teams.
Klue integrates with enterprise tools such as Salesforce and Gong, enabling data synchronization across systems.
LastPass Customer Data Exposed
According to the disclosure, a threat actor successfully obtained OAuth tokens stored by Klue for multiple customers, including LastPass.
Attackers used the stolen OAuth tokens to access CRM data in LastPass’ Salesforce instance, bypassing traditional login controls by exploiting the trusted API-based authentication mechanism between services.
In this case, the attacker leveraged valid tokens to access data without requiring user credentials, demonstrating the growing abuse of token-based trust relationships in supply-chain attacks.
LastPass clarified that the exposure was limited strictly to systems connected to Klue. Its core products, internal infrastructure, and customer password vaults were not affected.
Additionally, there is no evidence that data from Gong systems was accessed during the intrusion. The compromised data includes standard business contact and CRM-related information.
This consists of customer names, email addresses, phone numbers, physical addresses, as well as support case details and sales-related records.
While no sensitive authentication data was exposed, such information could be used in targeted phishing or social engineering campaigns.
Upon detection, LastPass initiated an immediate incident response process. The company revoked all employee access to Klue, rotated exposed API and OAuth tokens, and launched a joint investigation with Klue and Salesforce.
Law enforcement agencies have also been notified. LastPass stated that its Threat Intelligence, Mitigation, and Escalation (TIME) team is actively collaborating with the broader security community to share threat intelligence and disrupt the campaign.
The company is also implementing additional safeguards to reduce the risk of similar incidents, with a particular focus on third-party integrations and token security controls.
This includes strengthening monitoring mechanisms and reviewing access dependencies across connected platforms.
LastPass has advised customers to remain cautious of unsolicited communications, as attackers may attempt to exploit exposed contact data.
The company reiterated that it will never request master passwords and urged users to verify all communications through official support channels.
As part of the investigation, several indicators of compromise have been identified. Suspicious IP addresses linked to the activity include 138.226.246[.]94, 94.154.32[.]160, 159.183.215[.]61, and 159.183.181[.]239.
Malicious email sender domains observed in related activity include baccarat.com[.]au, robinskitchen.com[.]au, and house.com[.]au. Security teams are advised to monitor for these indicators within their environments.
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
