LastPass has confirmed another data breach, this time through a compromised third-party service provider. Attackers used stolen OAuth tokens from Klue, a market intelligence platform, to access LastPass’s Salesforce environment and extract customer contact information.
The breach is the latest in a troubled security history for the password manager, which suffered a major 2022 incident that exposed encrypted vaults and has since faced regulatory fines.
What happened
The extortion group known as Icarus compromised Klue’s backend systems on or around June 12, 2026, pushing a malicious code update that harvested OAuth tokens. Using those tokens, the attackers queried Salesforce environments to copy CRM data belonging to LastPass and other Klue customers.
LastPass said the exposed data includes customer names, phone numbers, email addresses, physical addresses, support case records, and sales-related information. The company emphasized that LastPass products, services, infrastructure, and customer password vaults were not affected. Master passwords and encrypted vault contents remain secure.
Klue notified customers of the unauthorized activity on June 12. After Salesforce disabled the Klue Battlecards integration on June 17, LastPass published its disclosure on June 23, having rotated the exposed tokens, discontinued employee access to Klue, and notified law enforcement.
What to watch for
The exposed contact information creates phishing and social engineering risks. Attackers can use CRM records to craft convincing messages that appear to come from LastPass. The company reiterated that its staff will never ask for a master password.
The Klue incident underscores a growing vulnerability: OAuth tokens designed to let applications share data seamlessly become attack vectors when a third-party service holding those tokens is compromised. Security researchers recommend that companies review which apps have access to CRM data, revoke unused connections, rotate tokens immediately after vendor incidents, and monitor API activity for unusual data exports.
Other security news this week
Former US National Security Advisor John Bolton pleaded guilty on June 26 to one count of unlawfully retaining classified information, resolving an 18-count indictment. Under the plea deal, Bolton faces a fine of approximately US$2 million (approximately 1.6 million British pounds) and up to five years in prison, though the judge will determine the final sentence. The case stemmed from Bolton transmitting handwritten notes containing highly classified information to two family members during and after his time in the Trump administration.
Microsoft’s Digital Crimes Unit, working with Europol and international partners, announced the disruption of the Amadey and StealC infostealer operations as part of the ongoing Operation Endgame. The coordinated action identified more than 200 malicious command-and-control domains and IPs, which were shut down through court orders and domain seizures. Over 140,000 computers worldwide were found infected with the tools during a two-week monitoring period in May. The operation recovered 27 million stolen login credentials and frozen EUR 41 million (approximately US$47 million) in criminal crypto assets. Microsoft said investigators used AI tools including Copilot to analyze malware binaries and map infrastructure shared between the two families, which operate as malware-as-a-service and serve as gateways to ransomware attacks.
Sources: Security News This Week: LastPass Users Had Their Data Stolen – Again (Wired, June 27, 2026); LastPass Confirms Customer Data Breach After Klue OAuth Token Theft (HackRead, June 23, 2026); Microsoft, Europol lead global takedown of infostealer malware (Cybersecurity Dive, June 24, 2026); John Bolton pleads guilty in documents case (USA Today, June 26, 2026)