A security incident involving the third-party platform Klue has resulted in unauthorized access to limited customer data in LastPass. The breach occurred after attackers compromised OAuth tokens associated with enterprise integrations.
This incident, disclosed by LastPass, underscores the ongoing risks related to SaaS integrations and token-based authentication in today’s enterprise environments.
LastPass Customer Data Exposed
According to LastPass, the company became aware of the breach on June 12, after Klue, a market intelligence platform integrated with Salesforce and Gong, experienced a security incident affecting multiple organisations.
Investigations revealed that attackers successfully obtained OAuth tokens stored by Klue and used them to access customer environments connected to Klue. In LastPass’s case, the compromised tokens allowed unauthorized access to specific data within its Salesforce instance.
LastPass confirmed that the exposure was limited strictly to systems integrated with Klue and did not impact its core infrastructure, products, or encrypted password vaults. The company emphasized that there is no evidence of compromise involving Gong systems or any sensitive authentication data such as master passwords.
However, the attackers were able to access customer relationship management data, including names, phone numbers, email addresses, physical addresses, and support- or sales-related records.
The attack demonstrates a growing trend in which adversaries target third-party SaaS providers to pivot into downstream enterprise environments.
OAuth tokens, which are often trusted for API-based access, present a high-value target when improperly secured or exposed by external vendors.
In this case, the compromise did not require direct intrusion into LastPass systems, instead, it exploited trust relationships established through integrations.
In response, LastPass initiated immediate containment and remediation actions. The organization revoked and rotated all affected OAuth tokens, disabled employee access to Klue, and launched a coordinated investigation with both Klue and Salesforce. Law enforcement agencies have also been notified.
Additionally, the LastPass Threat Intelligence, Mitigation, and Escalation team is actively collaborating with the broader security community to share threat intelligence and disrupt the campaign.
Security teams warn that while the exposed data is categorized as standard business information, it can still be weaponized in targeted phishing or social engineering campaigns. Attackers may use the harvested contact details to craft convincing impersonation attempts aimed at credential theft or further compromise.
Organizations using similar SaaS ecosystems are advised to audit third-party integrations, enforce strict token lifecycle management, and adopt least-privilege access controls. Continuous monitoring of API activity and anomaly detection across SaaS platforms is also critical to identifying suspicious behavior early.
Indicators of Compromise associated with the campaign have been shared to assist defenders in threat hunting and detection efforts.
IoC:
| IOC Type | Value |
|---|---|
| IP | 138.226.246[.]94 |
| IP | 94.154.32[.]160 |
| IP | 159.183.215[.]61 |
| IP | 159.183.181[.]239 |
| Domain | baccarat.com[.]au |
| Domain | robinskitchen.com[.]au |
| Domain | house.com[.]au |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
LastPass continues to monitor the situation and has urged customers to remain cautious of unsolicited communications, reiterating that it will never request master passwords or sensitive credentials through unofficial channels.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
