Password manager LastPass disclosed a supply‑chain breach that originated with third‑party vendor Klue. Attackers stole OAuth tokens from Klue’s integration with Salesforce and used them to infiltrate LastPass’s Salesforce environment. The intrusion exposed customer names, phone numbers, email addresses, physical addresses, and support case details, but left password vaults untouched. The data leak affects roughly tens of thousands of accounts worldwide, increasing exposure risk.

The breach stemmed from a compromised legacy credential tied to an integration service, which Klue revealed on June 22. By commandeering the stolen OAuth tokens, the actor accessed data across connected customer environments, raising the risk of targeted phishing and social‑engineering attacks. Unlike the 2022 incident, this episode did not jeopardize encrypted password stores.

LastPass responded by rotating the compromised tokens, disabling employee access to Klue, and launching an internal investigation with law‑enforcement notification. Klue revoked the affected credentials and removed unauthorized code. Users are urged to treat any unsolicited request for a master password as suspicious and to rely on multi‑factor authentication. The breach underscores that even indirect supply‑chain flaws can expose personal data significantly.