LastPass has disclosed that customer contact and CRM data were exposed after attackers compromised Klue, a third-party market intelligence platform used by its go-to-market teams.
According to a security advisory published by LastPass, the company was notified on June 12 about a breach at Klue, a competitive intelligence platform that integrates with Salesforce and Gong. During the incident, attackers obtained OAuth tokens maintained by Klue for multiple customers and used them to access data stored in affected organizations' Salesforce environments, including LastPass.
LastPass said its investigation found that the attackers accessed customer information stored in Salesforce using OAuth credentials associated with the Klue integration. The company stressed that the compromise was limited to systems connected to Klue and did not affect LastPass products, infrastructure, or customer password vaults. It also stated that there is no evidence that attackers accessed data from its Gong deployment.
The company is best known for its password management platform, which is used by millions of consumers and businesses to store credentials and other sensitive information in encrypted vaults. LastPass emphasized that the incident did not impact vault security or any customer secrets protected by its password management service.
The exposed information consists primarily of business contact and CRM records, including:
- customer names
- email addresses
- phone numbers
- physical addresses
- support case information
- sales-related data
While the data does not include password vault contents, the stolen information could be valuable for future phishing campaigns, social engineering attacks, or targeted extortion attempts.
Earlier this month, Salesforce confirmed it had disabled the Klue Battlecards application connection across customer environments after detecting suspicious activity involving the app. Salesforce stated that the issue originated from Klue's integration and was not caused by a vulnerability in the Salesforce platform itself.
Threat researchers at ReliaQuest reported that attackers abused compromised Klue integration accounts to generate OAuth tokens and perform large-scale data harvesting through Salesforce's REST API. According to the firm's analysis, the threat actor used automated Python-based tooling to enumerate Salesforce objects and execute thousands of API queries over extended periods, enabling the theft of CRM records at scale.
ReliaQuest observed activity consistent with previous Salesforce ecosystem attacks that targeted third-party providers such as Salesloft, Drift, and Gainsight. Those earlier campaigns were linked to the financially motivated threat actors ShinyHunters and UNC6395; however, the latest attack was claimed by a new threat group known as “Icarus.” The group stated that multiple Salesforce environments belonging to Klue customers had been exfiltrated and encouraged affected organizations to contact them regarding the stolen data.
Huntress, another victim of the Klue incident, reported that attackers compromised Klue's backend infrastructure after gaining access through an old credential originally created for a discontinued integration project. According to Huntress, the attackers deployed code to harvest OAuth tokens from Klue customers, then used those credentials to query and extract Salesforce data directly from victim environments.
Several affected companies have since reported receiving extortion emails. On June 22, data allegedly stolen from multiple Klue customers began appearing on an “Icarus” leak site.
In response to the incident, LastPass revoked employee access to Klue, rotated exposed API tokens, launched an internal investigation, and notified law enforcement. The company also said it is sharing intelligence through its Threat Intelligence, Mitigation, and Escalation (TIME) team to help disrupt the campaign and improve industry-wide defenses.
LastPass customers are advised to remain alert for phishing emails, suspicious phone calls, and other social engineering attempts that may leverage exposed contact information. The company reiterated that LastPass employees will never ask customers for their master passwords and that all legitimate communications should come through official support channels.
Leave a Reply