Vendor Access · Supply Chain Security

LastPass Confirms Data Breach in Klue Supply Chain Attack

June 23, 2026 · 7 min read

A single abandoned credential at a market intelligence vendor gave an extortion group everything it needed to steal OAuth tokens, pivot into LastPass's Salesforce environment, and walk out with customer names, emails, phone numbers, physical addresses, and support records — all without touching LastPass's own infrastructure. LastPass's password vaults were never at risk, but the incident is a textbook demonstration of how thoroughly a trusted vendor can become your weakest link.

What actually happened

Klue is a Vancouver-based competitive intelligence platform used by hundreds of enterprise organizations to sync battlecard data with their CRM environments. LastPass's go-to-market teams relied on Klue, which was integrated directly with LastPass's Salesforce and Gong systems via OAuth tokens. On June 11, 2026, threat actors compromised Klue's backend systems using a legacy credential tied to an older, abandoned integration project — a dormant service account that had never been cleaned up. From there, the attackers deployed code designed to harvest OAuth tokens that Klue held on behalf of its customers.

On June 12, 2026, Klue detected the unauthorized activity and notified LastPass the same day. By then, the attackers had already obtained OAuth tokens for numerous Klue customers, including LastPass, and used those tokens to access LastPass customer data inside LastPass's Salesforce environment. According to LastPass, the data exposed included customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related records. LastPass confirmed that its products, services, core infrastructure, and customer password vaults were not affected.

Researchers at Datadog Security Labs and ReliaQuest found that attackers used automated tools to enumerate Salesforce objects through Salesforce's REST API at scale — essentially using legitimate integration credentials to perform large-scale data harvesting that looked, at first glance, like normal vendor activity. Salesforce confirmed that no vulnerability in the Salesforce platform itself was involved; the issue originated entirely from Klue's compromised integration layer.

"The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce." — Klue CEO Jason Smith, as reported by BleepingComputer

As remediation progressed, Klue disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. LastPass revoked and rotated all affected OAuth tokens and disabled employee access to Klue. The attack was claimed by a threat group known as Icarus, which emerged in late April 2026. On June 16, 2026, affected organizations began receiving extortion emails with a 48-hour deadline to contact the group via Session Messenger. Icarus publicly listed Klue as a victim on its dark-web leak site on June 19, 2026. Huntress attributed the attack to Icarus after Session Messenger identifiers in extortion emails matched those on the group's leak site. Other confirmed victims of the same attack include Gong, HackerOne, Huntress itself, Insurity, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium.

Why this should matter to you even if you don't run Klue

The Klue incident is not an edge case — it is a playbook that has been run before. SecurityWeek noted that this attack followed the same pattern as earlier supply chain incidents involving third-party app integrations with Salesforce, including prior Salesloft Drift and Gainsight incidents. The structural problem is consistent: enterprises grant SaaS vendors persistent OAuth access to their most sensitive business systems, then never audit what those tokens can reach, never rotate them, and never ask whether the vendor has cleaned up its own legacy credentials.

If your organization uses any SaaS platform that integrates with Salesforce, HubSpot, Gong, Slack, or similar tools via OAuth, you almost certainly have a version of the same exposure. The vendor holds a token. The token has scopes. Those scopes may be far broader than the vendor actually needs. And if that vendor has a forgotten service account from a project three years ago, your CRM data is one compromised credential away from being exfiltrated by an automated script running against a REST API.

The confirmed victim list from this single incident reads like a who's-who of security-aware organizations: HackerOne, Huntress, Recorded Future, Snyk. Vendor supply chain risk does not discriminate by how sophisticated your own security team is — it exploits the trust you have already extended to someone else.

The control that would have blunted it

The specific control here is vendor access governance: the discipline of inventorying every OAuth token and service account credential your vendors hold on your behalf, scoping those tokens to the minimum necessary permissions, rotating them on a defined schedule, and revoking them immediately when the vendor relationship changes or an incident is reported. This is distinct from simply reviewing vendor security questionnaires once a year.

In practice, this means three concrete actions. First, maintain a live inventory of every third-party OAuth grant connected to your Salesforce, HubSpot, Gong, and Slack tenants. Most platforms expose this under connected apps or OAuth authorization settings — audit it quarterly. Second, enforce least-privilege scopes: a competitive intelligence tool that needs to pull deal data does not need write access or access to support case records. Third, establish a break-glass revocation procedure so that when a vendor notifies you of a compromise — as Klue notified LastPass on June 12 — you can revoke and rotate affected tokens within hours, not days.

Cyber insurers increasingly ask about exactly this control during underwriting. Questions around third-party access management, OAuth token hygiene, and vendor offboarding procedures appear in most current insurance applications. Organizations that cannot demonstrate a process for inventorying and revoking vendor access tokens are likely to face higher premiums or coverage exclusions for supply chain incidents — precisely the category of event that caused the LastPass breach. Remediating this gap before your next renewal is both a security improvement and a tangible underwriting advantage.

For a deeper look at structuring vendor access controls and third-party token governance, see our Cyber Insurance Prep Checklist, whose Vendor Access controls cover the inventory, scoping, and revocation workflows that apply directly to OAuth-based integrations like those exploited in the Klue incident.