Password manager LastPass finds itself explaining another security incident to its millions of users. This time the breach didn’t strike its core systems directly. Hackers instead compromised a third-party vendor called Klue. They swiped OAuth tokens. Those tokens opened the door to LastPass customer data sitting inside a Salesforce environment.
The details emerged Tuesday. TechCrunch reported that LastPass sent notices to affected customers. Names. Phone numbers. Email addresses. Physical addresses. Support case records. Sales-related CRM entries. All of it walked out the door. Yet the company stressed one key point. Customer password vaults stayed untouched. Stored credentials never left the building.
Short. Simple. And familiar to anyone who has followed LastPass over the past decade.
The supply-chain vector adds a new wrinkle. Klue provides market intelligence by linking company data to its platform. On June 12 a hacking group known as Icarus gained entry through a compromised legacy credential. TechCrunch detailed how the intruders pulled business contact information from multiple customers’ Salesforce databases and other cloud stores. Several cybersecurity firms confirmed losses. Gong. Jamf. HackerOne. Recorded Future. Tanium. Snyk. The list grew quickly. Klue posted an update on its site June 22. It described the theft but offered few specifics on the number of victims.
LastPass rotated the exposed tokens. It disabled employee access to Klue. It launched an investigation and notified law enforcement. The company also reminded users that its employees will never ask for a master password. Ever. That warning carries extra weight now.
But the incident lands on top of a troubled history. Go back to 2015. LastPass disclosed suspicious network activity. Email addresses. Password reminders. Salts. Authentication hashes left the premises. Encrypted vaults did not. Users felt uneasy. Many stayed anyway.
Then came 2022. The breach that still haunts the company. Attackers first compromised a developer’s laptop. They moved laterally. They reached cloud storage. They downloaded customer account details and encrypted password vault backups. Names. Billing addresses. Email addresses. Phone numbers. IP addresses. Website URLs. The works. AppleInsider noted the stark difference this week. The Klue event exposed support and sales data but left vaults alone. The 2022 theft gave adversaries encrypted files they could attack offline.
Weak master passwords from earlier accounts made cracking feasible. PBKDF2 iterations proved too low for some users. Criminals brute-forced vaults. They found crypto wallet keys. Reports later tied the haul to roughly $35 million in stolen cryptocurrency. Victims watched balances vanish. Trust eroded further.
Regulators took notice too. The UK’s Information Commissioner’s Office issued a £1.2 million fine. It cited failures in technical and organizational measures. Engineers used personal laptops for production keys. Personal and business vaults sometimes shared master passwords. AWS keys went unrotated after the first intrusion. The ISMS.online analysis laid out those lapses clearly. Compliance gaps became public exhibit A.
Class-action litigation followed. A proposed $8.2 million settlement covers 2022 victims. Claims deadline sits at July 2, 2026. Exclusion and objection dates passed in June. The Top Class Actions tracker keeps the timeline visible. Many users already migrated. Others remain. The latest notice revives old questions about whether any single breach ends the story.
And the phishing never stopped. In January 2026 LastPass warned of emails pretending to come from its infrastructure team. Subjects screamed about urgent maintenance. Recipients were told to back up vaults within 24 hours or risk loss. Links led to fake login pages. The company’s Threat Intelligence, Mitigation, and Escalation team updated its advisory on January 22. New domains. Fresh redirect chains. Same urgency playbook. The LastPass blog post listed indicators of compromise and urged blocking. Stolen support case data from the Klue incident could make those campaigns more convincing. Attackers now possess real conversation history. Real phone numbers. Real names.
Security researchers have questioned LastPass architecture for years. A February 2026 study from ETH Zurich’s Applied Cryptography Group found seven vulnerabilities. The team showed that a compromised server could view or modify passwords during normal operations such as login, vault access, or sync. Complex code added for features like account recovery and family sharing contributed. Outdated cryptography lingered. The Wikipedia entry on LastPass, citing the study, captured the zero-knowledge promise falling short under a malicious server model.
So what now? LastPass says it contained this incident. Tokens rotated. Integrations severed. Yet the pattern persists. Supply-chain attacks expose the reality that no company operates in isolation. Every vendor link becomes a potential doorway. Every OAuth token a potential master key.
Users face practical choices. Enable multifactor authentication everywhere possible. Adopt passkeys where services allow. Avoid clicking links in unexpected emails even when they reference real support tickets. Verify requests by typing official domains directly. Change master passwords to long, unique values if they haven’t been updated since 2022. Consider whether the convenience of one vault still outweighs repeated trust repairs.
The company continues to iterate. It strengthened master password requirements. It improved URL encryption. It published a roadmap of post-incident work. Those steps matter. They arrive late for some customers who lost funds or time.
Industry watchers see broader lessons. Password managers remain high-value targets. Their breach consequences stretch for years because one cracked vault unlocks dozens of accounts. Enterprises audit third-party integrations more aggressively now. They demand tighter token controls and just-in-time access. They test legacy credentials ruthlessly.
LastPass once dominated the consumer password manager market. Its user base still numbers in the tens of millions. The latest event may not trigger mass exodus on its own. But each new disclosure chips away at the foundation. Confidence doesn’t vanish overnight. It fades with every headline that begins the same way.
Hackers stole data again. Not the vaults this time. Not the encrypted secrets. Just the personal details that make targeted attacks sharper. The distinction offers cold comfort. In security the difference between exposed contact records and exposed passwords can disappear the moment a convincing phishing email lands in an inbox.
Stay alert. Verify everything. Assume the next message referencing your support history might not come from the company you trust.
from WebProNews https://ift.tt/rjXkqZM
No comments:
Post a Comment