LastPass has confirmed that attackers accessed customer data in its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack. The intrusion, disclosed on June 23, 2026, traces back to a June 12 compromise of Klue, a third-party market intelligence platform used by LastPass go-to-market teams. The Icarus extortion group claimed the underlying breach, which also hit Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. LastPass states its products, services, infrastructure, and customer vaults were not affected.
What Happened
On June 12, LastPass was notified of an incident at Klue (klue.com), an AI-powered market intelligence platform that integrates with LastPass Salesforce and Gong systems. An investigation found that an unauthorized actor obtained OAuth tokens that Klue held for many of its customers, including LastPass. The threat actor then used those credentials to reach LastPass customer data inside the company's Salesforce environment. LastPass found no evidence the attacker accessed Gong-related data, which typically includes customer calls and emails. The broader campaign was claimed by the Icarus extortion group, which exfiltrated CRM data from multiple victims and launched an extortion effort.
What Was Taken
LastPass says the following customer data may have been exposed from its Salesforce environment:
- Customer names
- Phone numbers
- Email addresses
- Physical addresses
- Support case information
- Sales and CRM-related data
Critically, the exposure was limited to CRM-style contact and support records. Customer vaults, master passwords, and stored credentials were not part of the affected Salesforce data set, and LastPass found no evidence the attacker touched Gong call and email content.
Why It Matters
This incident is a textbook example of fourth-party risk: LastPass was not breached directly, yet customer data leaked because a vendor's vendor integration was compromised. OAuth tokens are persistent, scoped credentials that bypass passwords and often sidestep multi-factor authentication, making them a high-value target when a SaaS integration platform is breached. Because Icarus harvested tokens connecting many customers' Salesforce tenants, a single compromise cascaded across at least seven named organizations. For a security brand like LastPass, even non-vault CRM data carries elevated risk, as attackers can weaponize accurate names, contacts, and support history to craft convincing phishing and social engineering lures.
The Attack Technique
According to LastPass, Icarus gained access to Klue's infrastructure using compromised legacy credentials for an integration service account. That access exposed the OAuth tokens Klue used to connect to various third-party services, including the Salesforce and Gong environments of its customers. With valid tokens in hand, the actor authenticated to LastPass Salesforce as a trusted integration and exfiltrated CRM data. The attack chain highlights two recurring failure points: dormant legacy credentials that were never rotated, and broad OAuth token scopes that granted standing access without re-authentication.
What Organizations Should Do
- Inventory and audit all third-party OAuth and API integrations connected to Salesforce, Gong, and other SaaS platforms, revoking tokens that are unused or over-scoped.
- Rotate legacy and service-account credentials, eliminate dormant integration accounts, and enforce least-privilege scopes on all tokens.
- Monitor SaaS audit logs for anomalous OAuth token use, such as access from new IPs, bulk record exports, or activity outside normal integration patterns.
- Treat fourth-party SaaS-to-SaaS connections as part of your attack surface and require vendors to disclose their own integration dependencies.
- Warn staff and customers to be skeptical of unsolicited phone or email contact requesting sensitive details, and reinforce that master passwords must never be shared.
- Block and alert on the attacker-linked sender domains baccarat.com[.]au, robinskitchen.com[.]au, and house[.]com.au, and trust only official support channels.
Sources: LastPass confirms data breach in Klue supply chain attack