LastPass Says Klue Supply Chain Attack Let Hackers Access Salesforce Customer CRM Data

LastPass confirmed that a supply chain attack involving its third-party vendor Klue led an unauthorized actor to use stolen OAuth tokens to access customer data stored in its Salesforce environment.

“Password manager LastPass says a supply chain attack involving third-party vendor Klue exposed customer contact and support information, though customer vaults and stored credentials were not affected”

AppleInsider

LastPass said it learned of the Klue incident on June 12, 2026, after Klue notified customers about unauthorized activity, and it said the exposed data was limited to customer relationship management information inside Salesforce.

AppleInsider

The company said the exposed information included customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related records, while LastPass products, services, infrastructure, and customer vaults were not affected.

In a statement quoted by BleepingComputer, LastPass said, "On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com)," and it added that the threat actor then used the credentials to access LastPass customer data within its Salesforce environment.

Multiple outlets tied the Klue breach to a threat actor named Icarus, with TechCrunch reporting that Icarus took credit and threatened to release stolen data if a ransom wasn’t paid.

TechCrunch also reported that LastPass said the breach occurred at market research firm Klue, and not its own systems, while hackers abused their access to obtain reams of data about LastPass customers.

BleepingComputer

LastPass said it launched an investigation and learned that an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass, and BleepingComputer quoted LastPass describing how the threat actor then used these credentials to access LastPass customer data within its Salesforce environment.

The incident was described as affecting systems integrated with Klue, and Hackread said Salesforce disabled Klue Battlecards’ integration infrastructure on June 17, 2026, after detecting unusual activity involving the app’s connection to Salesforce.

LastPass warned that exposed contact details and CRM records could be used in phishing and social engineering attacks, and it advised customers to remain cautious of unsolicited communications.

“LastPass has disclosed a security incident involving Klue, a third-party market intelligence platform used by its go-to-market teams, confirming that an unauthorized actor accessed customer relationship management (CRM) data stored within itsSalesforce environment”

Cyber Press

Hackread said LastPass reminded users that LastPass staff will never ask for a master password and that official support communication should come through trusted LastPass channels.

BleepingComputer similarly said attackers may leverage the exposed data in phishing and social engineering attacks, and it reiterated that the master password should not be shared with anyone.

Beyond LastPass, Cybersecurity Dive reported that the Klue attack led to mass exfiltration of Salesforce customer relationship management data belonging to hundreds of customers, including several prominent cybersecurity firms, and it said Salesforce disabled connections through the Klue Battlecards app until further notice.