Industry - Data Breach
Executive Summary
LastPass confirmed that customer support data - including names, contact details, and support ticket contents - was exposed through a breach at Klue, a third-party market research vendor it uses. The breach occurred when attackers exploited an old credential from a 2022 pilot project that remained active, affecting multiple companies beyond LastPass. While no password vaults or master passwords were compromised, the exposed information could be used for phishing or social engineering attacks ...
What Happened
LastPass confirmed that customer support data - including names, phone numbers, email addresses, physical addresses, and support ticket contents - was exposed through a breach at Klue, a third-party market research vendor. Attackers gained access using an old credential from a 2022 pilot project that remained active in Klue's systems. The breach affected multiple companies beyond LastPass, including Gong, Jamf, HackerOne, and others that used Klue's services.
Who Is Affected
LastPass customers who have submitted support tickets are affected, as their contact information and the contents of those support requests were exposed. The breach did not compromise password vaults, master passwords, or stored credentials within LastPass itself. Users of at least eleven other organizations that worked with Klue were similarly impacted by the same vendor breach.
Why It Matters
This incident demonstrates how third-party vendor security failures can expose customer data even when a company's own systems remain secure. The exposed support ticket data could enable targeted phishing and social engineering attacks against LastPass users. For LastPass specifically, this marks the second major data exposure incident affecting its customers since 2022, raising questions about vendor security oversight in the password management industry.
What You Should Do
Be vigilant for phishing emails or calls that reference your LastPass support interactions or use personal details you provided in support tickets. Enable multi-factor authentication on your LastPass account and any other accounts where you use the exposed contact information. If you receive unsolicited communications claiming to be from LastPass support, verify their legitimacy through official channels before responding or clicking any links.
Summary generated from verified sources and reviewed before publication. How we summarize.