**LastPass** has disclosed that customer data was compromised following a supply chain attack on **Klue**, a market intelligence platform it utilizes. The incident, which occurred earlier this month, saw hackers leverage stolen OAuth tokens to access **LastPass**'s **Salesforce** environment. ### The Klue Compromise On June 12th, **LastPass** was alerted to an incident at **Klue**, a third-party vendor integrating with their **Salesforce** and **Gong** systems. An immediate investigation revealed that an unauthorized actor obtained **Klue**'s OAuth tokens, which connected **Klue** to numerous customer systems, including **LastPass**. ### Accessing Salesforce Data These stolen credentials were then used by the threat actor to access **LastPass** customer data stored within their **Salesforce** environment. Importantly, **LastPass** states that its core products, services, and infrastructure were not directly affected, and customer vaults remain secure. There is currently no evidence to suggest that attacker accessed **Gong**-related data, which typically includes customer calls and emails. ### Exposed Information The investigation indicates that the following customer data may have been exposed: * Customer names * Phone numbers * Email addresses * Physical addresses * Support case information * Sales/CRM-related data This type of information is frequently used in targeted phishing and social engineering campaigns. Users are advised to exercise extreme caution regarding unsolicited communications, particularly those requesting sensitive details. **LastPass** reiterates that master passwords should never be shared. ### Icarus Extortion Group Linked The **Klue** supply chain attack has been attributed to the **Icarus extortion group**. This group reportedly compromised **Klue**'s infrastructure by exploiting compromised legacy credentials for an integration service. This breach granted them access to the critical OAuth tokens linking **Klue** to various third-party services. Multiple organizations have been impacted by the **Klue** incident, including **Recorded Future**, **Tanium**, **Jamf**, **Sprout Social**, **Gong**, and **Insurity**. **Icarus** has been observed exfiltrating Customer Relationship Management (CRM) data and launching subsequent extortion campaigns. ### LastPass's Response In response to the breach, **LastPass** has disabled employee access to **Klue**, rotated all exposed API/OAuth tokens, and notified law enforcement. The company has also issued a warning about potential phishing attempts originating from specific sender domains, including `baccarat.com[.]au`, `robinskitchen.com[.]au`, and `house[.]com.au`, emphasizing that users should only trust communications from official **LastPass** support channels.