Password manager maker LastPass is notifying customers that their personal information and customer support case records were stolen during a recent hack at one of its technology partners, marking the company’s latest data breach in recent years.

LastPass Customers Hit Again: Personal Data Stolen Via Third-Party Partner Klue

In a concerning development for its millions of users, password management giant LastPass has begun informing customers that their personal information and records from customer support cases were illicitly accessed and stolen. The breach, however, did not originate within LastPass’s own robust security infrastructure but rather at one of its trusted technology partners, the market research firm Klue. This incident represents the latest in a series of data security challenges for LastPass, reigniting questions about supply chain vulnerabilities and the broader implications for digital privacy.

The Ripple Effect: How a Partner’s Breach Impacts Millions

The breach, which Klue itself publicly disclosed last week, exposed data from multiple high-profile cybersecurity companies. In addition to LastPass, others like bug bounty platform HackerOne, threat intelligence firm Recorded Future, and endpoint security provider Tanium also confirmed data theft as a result of the Klue compromise. This interconnectedness highlights a critical vulnerability in today’s digital ecosystem: even companies with stringent internal security measures can be exposed through third-party vendors who handle their sensitive data.

According to an email shared with TechCrunch from an affected LastPass customer, the company explicitly stated that while Klue was the point of compromise, the hackers leveraged this access to exfiltrate significant volumes of data pertaining to LastPass customers. This distinction is crucial, as it indicates a sophisticated attack where initial access to one vendor was used as a stepping stone to target downstream data of another.

What Customer Data Is Now in the Hands of Attackers?

In a detailed blog post outlining the incident, LastPass confirmed the categories of information stolen. This includes customers’ full names, phone numbers, email addresses, and even physical addresses. Beyond basic contact information, the attackers also secured customer support case data and various sales-related data. While LastPass was quick to reassure users that its own core infrastructure, including the highly sensitive customer password vaults, remained uncompromised in *this specific* incident, the implications of the stolen data are still significant.

The contents of customer support tickets are particularly troubling. Users typically engage with customer service for highly personal reasons – troubleshooting account access issues, resolving billing discrepancies, or reporting suspicious activity. Past incidents involving similar data types have shown that such records can inadvertently contain fragments of credentials, partial financial details, or even copies of government-issued identity documents. While LastPass has not specified the exact nature of the data within these support tickets, the potential for sensitive information to be exposed creates a considerable privacy risk for affected individuals.

As of 2024, LastPass boasts a user base exceeding 33 million, with approximately 1.6 million paying customers. The lack of immediate response from LastPass spokespeople to TechCrunch’s inquiries, particularly regarding the precise number of customers affected, only adds to the uncertainty and concern surrounding this event. This silence leaves a significant portion of their vast user base wondering if their personal details are now exposed.

A Shadow of Past Breaches: LastPass’s Troubled Security History

This latest incident cannot be viewed in isolation. It unfolds against the backdrop of LastPass’s devastating 2022 data breach, an event that profoundly shook user confidence and had far more severe consequences. In that earlier breach, hackers successfully stole the company’s entire store of customer password vaults. These vaults are the digital strongboxes where users safeguard their most sensitive credentials – passwords, secure notes, multifactor authentication tokens, and even credit card numbers.

Although those vaults were encrypted with master passwords known only to the individual customer, the 2022 breach exposed them to offline brute-force attacks. This meant that hackers could relentlessly attempt to crack the encryption for vaults protected by weaker master passwords. The fallout was severe, with several high-profile cryptocurrency thefts later linked to the LastPass breach, as attackers were suspected of accessing victims’ digital wallet keys by successfully compromising their password vaults. This historical context makes any new breach, regardless of its scope, a significant blow to LastPass’s reputation and the trust its users place in its service.

Klue’s Disclosure and the Threat of “Icarus”

Klue CEO Jason Smith confirmed in a blog post that the company first detected unauthorized access within its systems on June 12. The responsibility for the breach has been claimed by a hacking and extortion group identifying itself as “Icarus.” This group has not only taken credit for the intrusion but has also publicly threatened to release the stolen data unless a ransom is paid. Such tactics are increasingly common, adding another layer of urgency and risk to data breach incidents. As with LastPass, Klue’s CEO, Jason Smith, has not yet responded to TechCrunch’s requests for comment, including critical questions about the number of affected customers or any direct communication with the “Icarus” hacking group.

What Users Should Do and Broader Industry Implications

For affected LastPass customers, vigilance is paramount. While password vaults are reportedly safe from *this* particular breach, the exposure of personal identifying information (PII) like names, emails, phone numbers, and addresses significantly increases the risk of targeted phishing attacks, social engineering attempts, and identity theft. Users should be extremely cautious of any unsolicited communications – emails, texts, or phone calls – that appear to come from LastPass or other services, especially those asking for personal details or login credentials. It is always best to directly navigate to official websites for any account management.

This incident serves as a stark reminder of the pervasive threat of supply chain attacks. Companies, regardless of their size or security posture, are only as strong as their weakest link in their network of third-party vendors. For the cybersecurity industry, breaches like this, especially involving firms like LastPass, HackerOne, and Recorded Future, are particularly damaging. They not only undermine user trust but also highlight a critical need for more rigorous vendor security assessments, continuous monitoring, and robust incident response plans that extend beyond a company’s immediate perimeter.

Bottom Line

The latest data breach impacting LastPass customers, while originating from a third-party vendor and reportedly not compromising password vaults directly, underscores the persistent and evolving nature of cyber threats. For LastPass, a company still rebuilding trust after its severe 2022 breach, this incident is another significant setback, raising concerns about its vendor management and the broader security ecosystem. Users must remain hyper-vigilant against potential phishing and identity theft, while the industry as a whole is once again reminded that robust internal security is only one piece of a much larger, interconnected puzzle. The digital landscape demands continuous adaptation, rigorous third-party oversight, and transparent communication to safeguard user data effectively in an era of sophisticated supply chain attacks.