LastPass customer names, emails, and support records stolen in third-party breach, vaults unaffected

midian182

Posts: 11,710   +177
Staff member
Facepalm: If there's one password manager that consistently proves these services aren't infallible, it's LastPass. The company has confirmed that some personal information and customer support case records were stolen after hackers breached Klue, a third-party platform used by its go-to-market teams.

The good news for anyone still using LastPass after its previous security disasters is that this was not a compromise of the company's password manager infrastructure. LastPass says customer vaults remain secure, and its products and services were not affected.

The more worrying news is that attackers accessed customer data inside its Salesforce environment after stealing OAuth tokens from Klue, a third-party market intelligence platform. LastPass said it learned of the Klue incident on June 12. Klue integrates with Salesforce and Gong systems, though LastPass says it has found no evidence that Gong-related data was accessed.

The stolen information included standard business contact and CRM data, such as names, phone numbers, email addresses, physical addresses, customer support case data, and sales-related information.

Customer support tickets can contain private or sensitive fragments, especially when users are dealing with billing problems or account-access issues. Even if passwords and vaults were not involved, the information could help make phishing and social engineering attempts look more convincing.

LastPass says it has discontinued all employee access to Klue, rotated the exposed API tokens, launched a detailed investigation with Klue and Salesforce, and notified law enforcement. It also warned customers to treat unsolicited emails, phone calls, or requests for sensitive information with caution, adding the usual reminder that no one at LastPass will ever ask for a master password.

BleepingComputer reports that the Klue supply-chain attack has been claimed by the Icarus extortion group, which allegedly compromised Klue's infrastructure using legacy credentials for an integration service. Other affected organizations reportedly include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.

The incident arrives with LastPass still dragging around the stink of its 2022 breach. That saga began with stolen source code and technical data before escalating into the theft of customer information and encrypted vault backups.

In 2023, LastPass revealed that a hacker had compromised a DevOps engineer's home computer, reportedly through Plex, to steal credentials and access a decrypted corporate vault.

It was also reported last year that federal agents had tied the 2022 LastPass breach to cryptocurrency thefts, including a $150 million heist. A third-party CRM breach may be less catastrophic than stolen vaults, but it's not like LastPass needs any more bad publicity.

Permalink to story:

 
ANYTHING that exists online can be hacked - NO exceptions. Don’t put everything in only one place people… I know Techspot recommends a password manager (it’s sponsored I believe) but it’s a foolish move.

Also, whenever a company gets hacked but says “user info wasn’t affected”… they’re LYING!!!
 
Last edited:
Under no circumstances should you listen to those telling you to abandon industry-standard security practices—they are not providing sound advice. Doing so only makes you an easier target.

Saying "everything gets hacked, so don't use a password manager" is terrible logic. It's like taking the locks off your front door because a locksmith could technically pick them.

Breaches happen. But you don’t have to rely on corporate honesty; just math.

Reputable managers use zero-knowledge encryption. Your passwords are encrypted on your local device before they ever hit a server. Even if a company's marketing or support databases get breached, hackers physically cannot read your vault.

Anyone claiming hackers will 'just download and crack the vault' doesn't understand modern cryptography. They can download the encrypted file all they want, but unless your master password is “Password123”, breaking standard AES-256 encryption with a strong passphrase would literally take a supercomputer billions of years. They aren't cracking the math; they are counting on you using a lazy master password.

If you abandon password managers, you will inevitably resort to password reuse. That is exactly what opportunistic hackers want. The real danger of breaches like this is targeted phishing. Keep using your password manager, turn on Multi-Factor Authentication (MFA), and do not click on unsolicited support emails.

Stay smart, use the tools, and don't let cynical advice compromise your safety.
 
People are becoming more lazy and stupid, if they surrender their security to a "master password manager".

The more we use our brain to remember and output back the passwords, the more active our brain will be. Slow down the degeneration. And further more, the best secure vault, is your brain.
 
Did you know that many datacenter insurance firms mandate use of a password manager in the terms for coverage? I wonder what the financial game is there...
 
Under no circumstances should you listen to those telling you to abandon industry-standard security practices—they are not providing sound advice. Doing so only makes you an easier target.
Some of them are self-serving.. others are good practice. Definitely DO use multiple strong passwords - a different one per site... but save your data somewhere UNHACKABLE - like maybe a piece of paper :)
Saying "everything gets hacked, so don't use a password manager" is terrible logic. It's like taking the locks off your front door because a locksmith could technically pick them.
You aren't taking the locks off your door - you're taking BAD locks off your door and replacing them with good ones :)
Breaches happen. But you don’t have to rely on corporate honesty; just math.

Reputable managers use zero-knowledge encryption. Your passwords are encrypted on your local device before they ever hit a server. Even if a company's marketing or support databases get breached, hackers physically cannot read your vault.
They don't need to "brute-force"... there are plenty of sites that have their password lists stolen and hacked - and they go into giant worldlists that hackers all have access to. They crack them against those... so all it takes is one breach (and there are TONS), and even if your password is 256 special characters, it's gonna fall... your only REAL defense is to have multiple passwords that you change often.
Anyone claiming hackers will 'just download and crack the vault' doesn't understand modern cryptography. They can download the encrypted file all they want, but unless your master password is “Password123”, breaking standard AES-256 encryption with a strong passphrase would literally take a supercomputer billions of years. They aren't cracking the math; they are counting on you using a lazy master password.
They don't have to - see above :)
If you abandon password managers, you will inevitably resort to password reuse. That is exactly what opportunistic hackers want. The real danger of breaches like this is targeted phishing. Keep using your password manager, turn on Multi-Factor Authentication (MFA), and do not click on unsolicited support emails.
No - use a BETTER system. a LOCAL "password manager" such as a notebook, or some other such system that can't be hacked. Yes, if someone specifically targets you and has the resources to steal and decypher that, you're in trouble - but if it's come to that, you were toast anyways...
Stay smart, use the tools, and don't let cynical advice compromise your safety.
I agree - don't rely on anyone other than yourself - don't trust anything online.
 
Some of them are self-serving.. others are good practice. Definitely DO use multiple strong passwords - a different one per site... but save your data somewhere UNHACKABLE - like maybe a piece of paper :)

You aren't taking the locks off your door - you're taking BAD locks off your door and replacing them with good ones :)

They don't need to "brute-force"... there are plenty of sites that have their password lists stolen and hacked - and they go into giant worldlists that hackers all have access to. They crack them against those... so all it takes is one breach (and there are TONS), and even if your password is 256 special characters, it's gonna fall... your only REAL defense is to have multiple passwords that you change often.

They don't have to - see above :)

No - use a BETTER system. a LOCAL "password manager" such as a notebook, or some other such system that can't be hacked. Yes, if someone specifically targets you and has the resources to steal and decypher that, you're in trouble - but if it's come to that, you were toast anyways...

I agree - don't rely on anyone other than yourself - don't trust anything online.
Least of all,governments or someone trying to sell you something.
 
I've been using Firefox password manager for over 15yrs, never had a problem. :)

Have been a LastPass user for years, even after the last breach. Periodically I've been asking myself the question, I should just use a free browser based password manager. I just haven't done that because with hundreds of passwords I have, I'm way to lazy to input them in manually one by one, it's way to time consuming. Yes, I do realize there are faster ways like importing them, but won't you run into formatting issues and things will be all over the place?
 
Some of them are self-serving.. others are good practice. Definitely DO use multiple strong passwords - a different one per site... but save your data somewhere UNHACKABLE - like maybe a piece of paper :)

You aren't taking the locks off your door - you're taking BAD locks off your door and replacing them with good ones :)

They don't need to "brute-force"... there are plenty of sites that have their password lists stolen and hacked - and they go into giant worldlists that hackers all have access to. They crack them against those... so all it takes is one breach (and there are TONS), and even if your password is 256 special characters, it's gonna fall... your only REAL defense is to have multiple passwords that you change often.

They don't have to - see above :)

No - use a BETTER system. a LOCAL "password manager" such as a notebook, or some other such system that can't be hacked. Yes, if someone specifically targets you and has the resources to steal and decypher that, you're in trouble - but if it's come to that, you were toast anyways...

I agree - don't rely on anyone other than yourself - don't trust anything online.

This is not good advice for the average person. It fundamentally introduces well-documented, severe physical vulnerability and psychological friction that ultimately leads to weak passwords. Modern cryptographic security works and is appropriate for most people. The idea that a notebook is “better” relies on a fundamental misunderstanding of cryptography and the predictable failures of human behavior.

1. Wordlists cannot crack random math.

The Claim:
A 256-character password will "fall" because hackers use giant worldlists from old breaches.

The Fact: Wordlists only contain known, previously leaked passwords. If a password manager generates a unique, random string for you, that string has never existed before. It is not on any wordlist, and it is mathematically impossible to guess.

2. Conflating standard site breaches with Zero-Knowledge vaults.

The Claim:
Hackers just steal the password lists from sites, so password managers are useless.

The Fact: When a standard website gets breached, hackers get raw data. When a zero-knowledge password manager gets breached, hackers only get a heavily encrypted file. Unless your master password is a weak guess like "Password123", breaking that standard AES-256 encryption would take a supercomputer billions of years. They aren't cracking the math.

3. Notebooks introduce worse security risks.

The Claim:
A physical notebook is a "better system" because it can't be remote-hacked.

The Fact: A notebook has zero backups. If your house experiences a fire, a flood, or you simply lose the book, your entire digital identity is permanently gone.

The Friction Trap: No one is going to manually type a random 20-character password like 7x$K#m9P!wQ@z2&L into their phone screen every time they log in. A notebook inevitably forces users to create short, weak, easily guessable passwords just so they can type them easily. Those are the passwords that fall to wordlists.

The Bottom Line:
You don’t have to trust a cloud company, but you should trust math. If you want the ultimate security without cloud risks, use a local, offline digital manager on a USB drive.

Stick to modern industry standards: use unique passwords, leverage encryption, and turn on Multi-Factor Authentication (MFA).

Don't let fear mongering and incorrect political ideology drive you back to the Stone Age.
 
Putting ALL your passwords in one place... jesus what is wrong with people.
Maybe they understand encryption at rest and in transit.

The alternative is using the same password across 1000 sites, so that if even a single one is breached, they get access to ALL your accounts.

Is that your proposal?

How about trust security experts on the matter instead of clueless bikeshedding?

This news isn't even about passwords btw.
 
If possible, try to remember your passwords. Memorize them. The best vault is our brain.

Even writing down on a personal physical diary or pen & pencil notebook cannot be hacked, but still can get stolen.

I don't even use so-called biometric unlocking in my phone. In the unlikely event that a criminal force your fingerprint on the bank app, your money is as good as gone. Forcing you to spit out your passwords from your brain will be much harder than unlocking your phone by shoving it to your face or force press your fingerprints on the phone. A small price to pay to forego convenience for security.

But again, surrendering your passwords to a password "manager" is a really bad idea.

There's NO software that can't be hacked.
 
Last edited:
Have been a LastPass user for years, even after the last breach. Periodically I've been asking myself the question, I should just use a free browser based password manager. I just haven't done that because with hundreds of passwords I have, I'm way to lazy to input them in manually one by one, it's way to time consuming. Yes, I do realize there are faster ways like importing them, but won't you run into formatting issues and things will be all over the place?
You, can download your passwords from LastPass, to a CSV file, and then import it to Firefox, or the like...
 
I've been using Firefox password manager for over 15yrs, never had a problem.
Same here. Some versions back they beefed up the security of it too. It's still not as secure as it could be, but it's very solid.
If you abandon password managers, you will inevitably resort to password reuse.
Not necessarily. Firefox offers unique auto generated password when creating new account. For password re-use the user has to explicitly type in one of their existing passwords twice when creating a new account.

it's much less feature complete compared to password managers tho.
There is no way to show which accounts have 2FA enabled (or even available to be enabled).
There is no built in duplicate checker to find and offer to change matching duplicates.

And im sure there are myriad of other features it lacks.
 
Back