Anyone still using LastPass? If so, you need to be aware about a new security incident that has been confirmed by the company this week.
In the modern SaaS ecosystem, a digital fortress is only as secure as the side door left open for third-party vendors. Password management firm LastPass has disclosed a new data breach that involved the intelligence platform Klue.
According to an official incident report published on the LastPass blog, threat actors recently compromised Klue’s systems to steal OAuth tokens, granting them unauthorized access to LastPass’s Salesforce environment.
What the Attackers Obtained
The threat actors compromised Klue’s systems to steal OAuth tokens, which they then used to access LastPass’s Salesforce environment. The exposed data was limited to standard CRM and business contact information:
- Customer names
- Email addresses
- Phone numbers
- Physical addresses
- Support case data
- Sales-related data
What They Did NOT Obtain
The core architecture of LastPass remained unbreached. The attackers did not gain access to:
- Customer Vaults: All stored passwords, secure notes, and saved data remained encrypted and secure
- Master Passwords: Because of LastPass’s zero-knowledge architecture, master passwords are never known or stored by the company, and they were not exposed here.
- Core Systems: LastPass products, services, and primary infrastructure were entirely unaffected
LastPass reveals that the information can be used for phishing attacks and other social engineering attempts. It recommends that “customers remain vigilant” and “exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information.”.
For LastPass users suffering from breach fatigue, this latest headline likely induces a familiar sense of dread. However, when put into perspective, the Klue incident is a far cry from the devastating, back-to-back breaches of 2022, where threat actors successfully made off with encrypted customer vault backups and proprietary source code.
Still, while this is fundamentally a story about a third-party CRM leak rather than a critical product failure, the stolen contact information arms hackers with exactly what they need to launch highly convincing phishing campaigns.