Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 24, 2026 · 5 min read

LastPass Confirms Customer Data Stolen in Klue Attack

On June 23, the Icarus extortion group used stolen Klue OAuth tokens to access LastPass's Salesforce CRM, exposing customer contact details and support case history. Password vaults remained secure.

On June 23, 2026, LastPass confirmed that the Icarus extortion group accessed its Salesforce CRM environment by stealing OAuth tokens from Klue, a third party market intelligence platform LastPass used internally. The attackers walked out with customer names, phone numbers, email addresses, physical addresses, and support case contents. Password vaults and master passwords were not touched.

Key Takeaways

  • • LastPass learned of the Klue breach on June 12, 2026 — eleven days before its public disclosure on June 23.
  • • Icarus compromised Klue's infrastructure using legacy credentials, then stole OAuth tokens Klue held on behalf of multiple enterprise customers, including LastPass.
  • • Customer contact data and support case history were exposed; password vaults, master passwords, and LastPass infrastructure remained secure.
  • • Icarus is now using the stolen contact data to run targeted phishing campaigns via fraudulent sender domains including baccarat.com.au and robinskitchen.com.au.

How Did the Klue Supply Chain Attack Work?

Icarus gained initial access to Klue by exploiting legacy credentials for an integration service — credentials that should no longer have had valid access. Once inside Klue's infrastructure, the group exfiltrated OAuth tokens that Klue held on behalf of its enterprise customers. Klue is an AI powered market intelligence platform that integrates directly with customers' Salesforce and Gong environments; those OAuth tokens were the keys to the kingdom.

With LastPass's OAuth token in hand, Icarus authenticated directly into LastPass's Salesforce CRM instance without needing to break a single LastPass credential. The attack required no phishing of LastPass employees, no brute force, and no exploitation of a LastPass vulnerability — just a lateral move through a trusted third party.

Other organizations confirmed affected by the same attack include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity — all Klue customers whose Salesforce environments were exposed through the same token pipeline. Source: BleepingComputer

What Did the Attackers Steal?

Icarus obtained customer names, phone numbers, email addresses, physical addresses, support case data, and sales related CRM records. According to TechCrunch's reporting, support case contents are particularly dangerous because they often include detailed account troubleshooting history, device information, and partial credential recovery discussions — exactly the kind of context that makes a phishing email sound credible.

This is not generic scraped contact data. An attacker who knows your name, mailing address, phone number, and the specifics of a support ticket you filed six months ago can craft a convincing impersonation that a spam filter will never catch.

Is My LastPass Vault Safe?

Yes. LastPass confirmed that its products, services, and infrastructure were not affected by the Klue incident. Password vaults, master passwords, and the encryption layer protecting stored credentials remained untouched. LastPass disabled employee access to Klue, rotated all exposed API and OAuth tokens, and notified law enforcement.

The distinction matters, but it does not erase the risk. This is LastPass's second significant incident in four years. The 2022 breach exposed encrypted vault backups after attackers compromised a senior DevOps engineer's personal machine — an attack that eventually enabled an estimated $35 million in cryptocurrency theft as attackers brute forced vaults with weak master passwords. In 2026, Icarus has your name, address, phone number, and support history — a toolkit for targeted social engineering, even without vault access.

A digital padlock overlaying a fractured supply chain graphic with glowing server nodes and cracked data streams

The Supply Chain CRM Attack Pattern

The Klue compromise is the latest iteration of a campaign targeting the SaaS platforms companies plug into their CRM. Charter Communications lost tens of millions of customer records after a single voice phishing call gave attackers access to a Microsoft Entra account connected to its Salesforce instance — see One Vishing Call Cost Charter 40 Million Customer Records.

What distinguishes the Klue and Icarus approach is the indirection. ShinyHunters typically phished or vished a target company employee directly. Icarus went one layer deeper: compromise the vendor, inherit every customer's OAuth token. One intrusion, multiple Salesforce environments. The attack surface for any given enterprise now includes every SaaS tool it has ever granted CRM access — a list that, for a company the size of LastPass, runs into the dozens.

The lesson for security teams: delegated OAuth access is a shared liability. Every third party platform that holds tokens connected to your CRM is a potential entry point. Auditing and rotating OAuth grants regularly — not just after an incident — is now baseline hygiene. Leaked developer credentials carry the same class of risk: weeks later, a hacker put 35GB of Accenture source code and Azure access tokens up for sale after a breach of its DevOps environment.

What Should LastPass Users Do Now?

Four immediate actions:

  • Watch for targeted phishing. Icarus is actively using stolen contact data. Fraudulent sender domains confirmed in use include baccarat.com.au, robinskitchen.com.au, and house.com.au. Any communication claiming to be from LastPass that references your support case history or arrives from an unfamiliar domain should be treated as hostile.
  • Never share your master password. LastPass itself cannot access your master password — any request for it is fraudulent by definition.
  • Enable TOTP based two factor authentication. The stolen data includes phone numbers. SMS 2FA is vulnerable to SIM swapping, which becomes significantly easier when an attacker already has your phone number and mailing address. Use an authenticator app or hardware key instead.
  • Review what you share in support tickets. Avoid including passwords, recovery phrases, or sensitive account details in support correspondence — redact or paraphrase wherever possible.

For context on how stolen contact records feed downstream infostealer campaigns, see 24 Billion Credentials Exposed in Massive Infostealer Dump. For the mechanics of how REMUS — the first commercial infostealer purpose built to target password manager extensions — operates against LastPass specifically, see REMUS: First Infostealer Targeting Password Manager Extensions.

Why Email Users Should Care

Every breach that exposes names, email addresses, and support case history becomes ammunition for spear phishing. Generic phishing casts a wide net and hopes someone clicks. Spear phishing — the variant Icarus is now equipped to run against LastPass's customer base — opens with your real name, references your actual address, and invokes a support interaction you remember having. That specificity is precisely what makes it dangerous.

LastPass users are high value targets by definition: they use a password manager because they have passwords worth protecting. The phishing email that exploits this breach will not look like spam — it will look like a routine security follow up from a company you trust. The defense is skepticism, verification through official channels, and TOTP based 2FA that an intercepted one time code cannot defeat.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.