“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says.
LastPass: scope, immediate findings, and remedial steps
LastPass confirmed that an unauthorized actor accessed customer data in its Salesforce environment after the theft of OAuth tokens in a supply chain incident that began at Klue. The company said its products, services, and infrastructure were not affected and that customer vaults remained secure. LastPass also reported there was no evidence the attacker accessed Gong-related data, which the company says typically includes customer calls and emails.
As countermeasures, LastPass disabled employee access to Klue, rotated the exposed API/OAuth tokens, and notified law enforcement while the investigation continues. The company additionally warned customers to trust only communications from official support channels and called out several sender domains — baccarat.com[.]au, robinskitchen.com[.]au, and house[.]com.au — as used by the threat actors.
How attackers used Klue access and stolen OAuth tokens
According to the account compiled in the incident notice, attackers compromised Klue’s infrastructure and stole OAuth tokens that connected Klue to customers’ Salesforce environments. Klue’s compromise was claimed by the Icarus extortion group. The Icarus actors reportedly gained their initial foothold by using compromised legacy credentials for an integration service, which then allowed them to obtain OAuth tokens Klue held for many of its customers.
LastPass states the threat actor used those credentials to access LastPass customer data within its Salesforce environment.
Exact categories of customer data that may have been exposed
LastPass provided a concrete list of the types of customer data that may have been exposed through the Salesforce access. The company said the following may have been accessed:
- Customer names
- Phone numbers
- Email addresses
- Physical addresses
- Support case information
- Sales/CRM-related data
LastPass warned that attackers may leverage those data points in phishing and social engineering attacks and reiterated the general recommendation to be cautious of unsolicited phone or email communications that request sensitive details. The company also stressed that the master password should not be shared with anyone.
Broader campaign: Icarus, CRM exfiltration, and extortion
The source links the Klue compromise to a broader extortion campaign. Icarus is reported to have exfiltrated Customer Relationship Management (CRM) data and launched extortion demands after compromising Klue infrastructure. The incident affected multiple organizations beyond LastPass, with the source naming Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity as among those impacted.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: Expect OAuth tokens and other long-lived credentials for third-party integrations to be an explicit focus of ongoing investigations and remediation. LastPass’s rotation of exposed API/OAuth tokens and disabling of Klue access are the specific mitigations the company reported taking.
- Affected enterprises and procurement leaders: Organizations that integrate third-party market intelligence platforms with CRM systems should review which tokens and integration credentials are held by those vendors and confirm token rotation where exposure is suspected.
- End users and customers: Because the exposed fields include contact and support-case information, users should be on guard for targeted phishing and social-engineering attempts. Heed LastPass’s guidance: treat unsolicited calls or emails that request sensitive details with caution, and never share a master password.
The Klue supply chain incident underscores how compromise of legacy integration credentials and the theft of OAuth tokens can ripple across multiple customers’ CRM environments. LastPass has taken containment steps and notified law enforcement, while Icarus’s extortion claim and the list of affected organizations make clear that CRM data exfiltration and follow-on phishing risks will be central concerns in the weeks ahead.
