LastPass recently faced a security breach through its third-party vendor, Klue, compromising customer information stored within its Salesforce database. The incident, although not affecting LastPass’s core infrastructure or password vaults, highlights the vulnerabilities inherent in Software as a Service (SaaS) integrations and OAuth token misuse.
Incident Overview
On June 12, LastPass was alerted to unusual activities involving Klue, a market intelligence tool integrated with enterprise systems such as Salesforce. This breach allowed unauthorized access to customer data, though it did not impact the company’s core services.
The attackers exploited stored OAuth tokens to access LastPass’s Salesforce data, sidestepping traditional login procedures by leveraging API-based authentication trusted between services. This incident underscores the increasing exploitation of token-based trust mechanisms in supply chain attacks.
Data Exposure Details
According to LastPass, only systems connected to Klue were affected, and no core products or password vaults were compromised. The accessed data includes standard business information such as customer names, email addresses, and CRM-related data.
While no sensitive authentication data was leaked, the exposed data could be used for targeted phishing or social engineering schemes. There is no current evidence of data access from Gong systems during the breach.
Response and Future Measures
Immediately after detection, LastPass implemented incident response protocols, revoking employee access to Klue and rotating compromised API and OAuth tokens. A joint investigation with Klue and Salesforce is underway, and law enforcement has been notified.
To prevent similar incidents, LastPass is enhancing security measures around third-party integrations and token controls, reinforcing monitoring systems, and reassessing access dependencies. Customers are advised to remain vigilant against unsolicited communications and verify any suspicious interactions through official channels.
LastPass identified several indicators of compromise, including specific IP addresses and malicious email domains, advising security teams to monitor for these within their networks.
