A supply chain attack against Klue, a third-party market intelligence platform, gave the Icarus extortion group access to OAuth tokens linked to LastPass’s Salesforce environment, exposing customer contact records for an unknown number of enterprise accounts. LastPass confirmed the incident on June 23, 2026, stressing that customer password vaults remained secure and that its core products and infrastructure were not impacted.

How the Klue Breach Opened a Door Into LastPass

The intrusion did not begin at LastPass. According to the official LastPass incident disclosure, attackers obtained legacy integration credentials giving them access to Klue’s infrastructure. From there, they harvested OAuth tokens that Klue held on behalf of its customers and which connected those customers’ Salesforce environments. LastPass was among the affected clients.

The OAuth token path is significant. Rather than targeting LastPass’s authentication or vault infrastructure directly, the attackers exploited the trust relationship between LastPass’s internal CRM tools and a third-party SaaS platform. The access chain ran through Klue as an intermediary, allowing the Icarus group to reach LastPass customer data without ever touching the core product.

Advertisement

300 × 250

LastPass learned of the Klue incident on June 12, 2026, and immediately launched an investigation alongside Klue and Salesforce. The company discontinued all employee access to Klue, rotated exposed API tokens, notified law enforcement, and activated its Threat Intelligence and Malicious Engagement (TIME) team to share indicators with the broader security community.

What Data Was Exposed

The information accessed through the compromised Salesforce integration was limited to business contact and CRM data: customer names, phone numbers, email addresses, physical addresses, and support case information. LastPass stated that “customer vaults remained secure” and that “LastPass products, services, and infrastructure were not impacted in any way.”

That distinction defines the risk vector. The breach does not expose master passwords, encrypted vault contents, or authentication credentials. What it does expose is the contact surface that attackers commonly leverage to launch secondary phishing and social engineering campaigns against high-value targets.

Other Klue Clients Affected

LastPass was not the only organization whose customer data flowed through the compromised Klue infrastructure. According to reporting by BleepingComputer, other affected clients included Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity, a cross-section of security and enterprise software providers whose own customers may now face elevated phishing risk.

The Icarus Group’s Tactical Approach

The Icarus group’s approach in this campaign reflects a maturing offensive playbook: instead of attacking hardened vendor infrastructure directly, target the connective tissue of SaaS integrations where security visibility is lower and legacy credentials persist. The use of compromised legacy integration credentials as the initial access vector suggests that Icarus conducted prior reconnaissance to identify stale but functional service accounts, a technique increasingly common among financially motivated threat actors.

By focusing on OAuth tokens rather than passwords or session hijacking, the group exploited a trust mechanism that many organizations have not fully inventoried. OAuth tokens granted by employees or IT teams for third-party integrations often carry broad data-access permissions and persist long after the original use case has been forgotten or the business relationship has evolved.

What It Means for the Security Leader

This incident is a concrete illustration of a risk category that has moved from theoretical to operational: the third-party SaaS integration as a supply chain attack vector. The breach perimeter is no longer defined by your organization’s own infrastructure. It extends to every vendor that holds tokens granting access to your systems, every SaaS platform that aggregates your customer or employee data, and every legacy integration credential that has not been rotated or reviewed.

For CISOs managing enterprise deployments of password managers and credential tools, the most important signal here is that the threat was not a compromise of the core product. LastPass vaults were not breached. The exposed data came from a CRM integration that sat adjacent to the product itself. That means the attack surface for your security tooling is wider than the tool’s own security boundary.

Organizations using multiple SaaS platforms connected via OAuth integrations should treat this incident as a prompt to audit their own third-party integration portfolios. The question is not only “which of our vendors were affected by the Klue incident?” but also “which of our own vendors hold OAuth tokens with broad permissions that we have not reviewed recently?”

Newsletter

Get the week's best tech coverage.

Free. Read by thousands of HR, tech, and business leaders.

Actionable Steps for Defenders

LastPass has issued specific guidance to its customers. No action is required to protect vault contents, but the company advises heightened awareness of social engineering attempts that may exploit the exposed contact data.

Conduct a third-party integration audit. Inventory all OAuth tokens and API credentials your organization has granted to third-party SaaS platforms. Revoke any that are unused, stale, or whose scope exceeds operational requirements. Many organizations lack a current register of active integrations, making this a baseline exercise before any incident occurs.

Brief customer-facing and executive teams. The exposure of names, phone numbers, and physical addresses creates a credible pretext for targeted social engineering. Teams that handle customer support, finance, or privileged access should be alerted that attackers may reference this data to establish false legitimacy in phone calls or email requests.

Validate LastPass communications. LastPass explicitly stated that no representative will ever request a customer’s master password. Any communication making such a request is fraudulent. Organizations should confirm internal policies and user awareness around this point.

Apply least-privilege principles to SaaS integrations. Treat each OAuth-connected third-party as a potential breach vector. Require scoped permissions, enforce regular rotation schedules, and log token usage in your SIEM for anomaly detection. Where possible, prefer short-lived tokens over persistent credentials.

Monitor for spoofed domains. LastPass has identified spoofed domains in use by threat actors as part of follow-on phishing campaigns targeting the exposed contact data. Update threat intelligence feeds and email filtering rules accordingly.

Source: LastPass Security Blog