LastPass says hackers stole customer data in Klue supply chain breach

LastPass said hackers accessed customer personal information and support case data via the Klue supply chain breach, though password vaults were not affected.techcrunch
The attack, attributed to extortion group Icarus, exploited a legacy credential to harvest OAuth tokens from Klue’s integration with Salesforce ↗2.20% on June 11.securityweek
Firms including Huntress, Recorded Future, Tanium, Jamf, HackerOne, and Snyk have also disclosed CRM data theft from the same breach, according to The Register.theregister

Klue Supply Chain Attack Exposes Salesforce Data at Cybersecurity Firms

A supply chain attack on market intelligence platform Klue has compromised Salesforce data at a growing list of organizations, including multiple cybersecurity companies, after a newly emerged extortion group called Icarus exploited a stolen legacy credential to harvest OAuth tokens from the platform’s integration infrastructure.

How the Attack Unfolded

The breach began on June 11, 2026, when attackers used a compromised legacy credential to gain access to Klue’s backend servers and push a malicious code update designed to collect OAuth tokens tied to customer integrations. Klue identified the unauthorized activity on June 12 and immediately deactivated OAuth tokens for all customers, disabling integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Google Drive, and Slack.securityweek

According to cybersecurity firm ReliaQuest, the attackers abused the Salesforce REST API to exfiltrate large volumes of CRM data over a 24-hour window, including “a concentrated burst of nearly a thousand queries in 15 minutes and sustained extraction windows lasting over 6 hours”. Salesforce confirmed the issue was limited to Klue’s app connection and did not stem from a vulnerability in the Salesforce platform itself, and disabled the Klue Battlecards integration on June 17.salesforceben

Victims Span the Cybersecurity Industry

The list of affected organizations has grown rapidly. Huntress, Recorded Future, Tanium, Jamf, HackerOne, Kudelski Security, Snyk, Insurity, and Sprout Social have all disclosed that CRM data was accessed through the compromised integration. Klue CEO Jason Smith acknowledged the attack in a blog post on June 20, stating that “an attacker gained access through a compromised legacy credential associated with an integration service” and used it to obtain OAuth tokens connecting Klue with third-party platforms.theregister

LastPass also confirmed it was affected. In a blog post, the company said hackers accessed customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related information from its Salesforce environment. LastPass stressed that its core products, infrastructure, and customer password vaults were not compromised.techcrunch

A New Extortion Group Emerges

Huntress attributed the attack to Icarus, an extortion group that surfaced in late April 2026. The group contacted victims using the alias “mr bean” and directed them to a Session Messenger ID linked to Icarus’s leak site. The group has publicly threatened to release stolen data if ransom demands are not met. Klue has engaged CrowdStrike to assist with its investigation and response.threatlocker