InfoSecBulletin Cybersecurity for mankind
LastPass has reported a security issue with its vendor, Klue. This incident allowed an attacker unauthorized access to customer data. The company confirmed that the breach did not affect its core infrastructure or password vaults. However, it highlights ongoing risks associated with SaaS integrations and OAuth token exposure.
The event was found on June 12, when LastPass was told about strange activity involving Klue, a platform for market information used by its go-to market teams.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
LastPass Customer Data Exposed
A hacker got OAuth tokens stored by Klue for the customers, including LastPass. Attackers used the stolen OAuth tokens to access CRM data in LastPass’ Salesforce instance, bypassing traditional login controls by exploiting the trusted API-based authentication mechanism between services.
In this situation, the attacker used real tokens to get data without needing user passwords. This shows how token-based trust is being misused more in supply-chain attacks.
LastPass explained that the attack only affected systems linked to Klue. Its main products, internal systems, and customer password storage were safe.
Additionally, there is no evidence that data from Gong systems was accessed during the intrusion. The compromised data includes standard business contact and CRM-related information.
This includes customer names, emails, phone numbers, addresses, support case information, and sales records.
LastPass started an urgent response to the incident. The company removed all employee access to Klue, changed the exposed API and OAuth tokens, and began a joint investigation with Klue and Salesforce.
Law enforcement agencies have been informed. LastPass said its TIME team is working with the security community to share information about threats and stop the campaign.
LastPass warned customers to be careful of messages they didn’t ask for, as wrongdoers might try to use leaked contact info. The company said it will never ask for master passwords and told users to check all messages through official support.
As part of the investigation, several indicators of compromise have been identified. Suspicious IP addresses linked to the activity include 138.226.246[.]94, 94.154.32[.]160, 159.183.215[.]61, and 159.183.181[.]239.
