Imagine getting a call from “LastPass support.” The caller knows your subscription tier, your last trouble ticket, and your home address. That call could be coming — not because hackers cracked your vault, but because they stole the customer data that makes social engineering terrifyingly convincing. Attackers exploited a breach at market intelligence firm Klue to raid LastPass‘s Salesforce environment. Your password vaults remain encrypted and untouched. The information surrounding them? That’s another story entirely.
What Actually Got Stolen
Names, addresses, phone numbers, support cases, and CRM records were pulled from LastPass’s Salesforce instance via stolen OAuth tokens.
LastPass confirmed that hackers accessed names, phone numbers, email addresses, physical addresses, support case records, and sales data, according to BleepingComputer. The company has not disclosed how many customers were affected. LastPass spokespeople did not respond to questions from TechCrunch about the scope of the incident.
- Confirmed stolen: contact details, physical addresses, support ticket data, and sales and CRM records
- Unknown: specific contents of individual support tickets; total number of affected customers
- LastPass claims 33 million users and roughly 1.6 million paying customers as of 2024, per TechCrunch
- Password vaults and core infrastructure were not compromised
- LastPass itself warned that stolen data could fuel targeted phishing and social engineering
Huntress, another affected company, described the exfiltration as a “bulk export” including “business contacts, price quotes, and other sales-related data and messaging,” according to the firm’s breach investigation blog.
The Bigger Problem Nobody’s Talking About
Support tickets are where people overshare — and attackers now have that context paired with your full contact details.
“Vaults weren’t touched” sounds reassuring until you consider what lives inside support tickets. Billing disputes. Account recovery requests. Sometimes fragments of credentials or identity documents, as TechCrunch noted. Combine that with your address and subscription details, and attackers can craft messages that are nearly indistinguishable from the real thing. After the 2022 breach — where stolen vault backups were later linked to crypto thefts through offline brute-force attacks on weak master passwords — any LastPass data exposure carries extra weight. These incidents reflect a broader pattern of tech scandals in which corporate data mishandling puts millions of users at risk.
The attack chain ran through a compromised legacy credential inside Klue’s infrastructure. Attackers stole OAuth tokens connecting Klue to customers’ Salesforce instances, then the extortion group Icarus bulk-exported CRM data from multiple organizations, including HackerOne, Recorded Future, Tanium, Jamf, and Huntress, according to BleepingComputer and TechCrunch. Klue CEO Jason Smith acknowledged that attackers used those tokens to access data across multiple customer environments, per The Register. Icarus is now demanding ransoms under threat of public release.
What You Should Do Right Now
No password reset is needed — but treat every inbound LastPass communication as suspicious until verified through official channels.
Enable multi-factor authentication on your LastPass account and any connected critical services. The attackers have enough context now to sound exactly like the real thing. Parallel cases of secretly tracking users serve as a reminder to verify the source of any communication before trusting it.
