LastPass Klue partner breach exposes CRM data via Salesforce integration
Repeated LastPass incidents trace to developer and partner account compromises rather than core vault encryption. Contact data leaks from Klue create phishing vectors without affecting stored passwords. Pattern shows ongoing failure to isolate third-party integrations in widely deployed security tools.
LastPass revoked Klue access, rotated API tokens, and notified law enforcement after hackers accessed names, emails, phone numbers, addresses, and CRM records through Klue's Salesforce and Gong connections. No password vaults were involved. The company published attacker IPs 138.226.246.94, 94.154.32.160, 159.183.215.61, and 159.183.181.239 plus sender domains baccarat.com.au, robinskitchen.com.au, and house.com.au.
Prior events include the 2015 compromise of email addresses and hashes without vault data, and the 2022 source code theft that enabled cloud backup access to encrypted vaults plus unencrypted billing details. Klue's third-party status repeats the 2022 vector where developer credentials allowed lateral movement.
Persistent third-party dependencies and delayed token rotation indicate systemic access control gaps across password manager infrastructure. Encrypted vaults remain intact but contact data enables targeted social engineering at scale against millions of users.
Regulators and enterprise customers will likely demand third-party audit logs and zero-trust segmentation within six months, accelerating migration to self-hosted or hardware-bound alternatives.
LastPass: Enterprise seat churn reaches 12% within nine months after this disclosure.
Sources (3)
- [1]Primary Source(https://blog.lastpass.com/2026/06/klue-incident-update/)
- [2]Supporting Source(https://techcrunch.com/2026/06/23/lastpass-klue-breach/)
- [3]Supporting Source(https://haveibeenpwned.com/LastPass)