LastPass confirmed a data breach this week — and this time it's not the vault, but the Rolodex.
Attackers compromised a legacy credential at Klue, a market intelligence tool LastPass uses to track competitors and manage sales pipelines. Using that foothold, they obtained OAuth tokens Klue held on behalf of its clients, then ran Python scripts against Salesforce's API to lift customer records at scale. LastPass says the exposed data is limited to names, phone numbers, email addresses, physical addresses, and sales records. Passwords and vaults were not touched. The company has revoked Klue's access, notified law enforcement, and is cooperating with the security community.
This isn't a LastPass-specific story — it's a supply-chain story wearing a LastPass badge. An extortion group called Icarus has claimed credit for a broad campaign targeting multiple Klue customers, and confirmed victims include Recorded Future, Tanium, Jamf, Sprout Social, and Gong. That list spans security vendors, IT management firms, and sales analytics platforms — organizations that should know better, all undone by a credential their vendor was still holding. The real exposure here is the OAuth token: a durable, revocable credential that nobody revoked.
LastPass has now suffered multiple serious security incidents in recent years, which means even a breach that spares the vault is a credibility problem. The company is urging customers to watch for phishing using the leaked contact data — reasonable advice, though it lands a little hollow coming from the brand trust takes the most work to rebuild.