LastPass confirms data breach in Klue supply chain attack
LastPass confirmed that hackers accessed customer data from its Salesforce environment by stealing the company's OAuth tokens during the Klue supply chain attack. The breach exposed customer information through a third-party vendor compromise.
- Disclosed
- Last updated
- Blast radius
- LastPass customer data accessed via compromised Salesforce environment; OAuth tokens stolen from Klue supply chain attack
- Ecosystems
- Attack vectors
- Affected entities
- LastPassCustomer data accessed via Salesforce environment after OAuth token theft in Klue supply chain attack
LastPass announced a data breach affecting its customers following the Klue supply chain attack. Attackers stole LastPass OAuth tokens, which they then used to gain unauthorized access to the company's Salesforce environment.
The breach resulted in unauthorized access to customer data stored in the Salesforce instance. This incident represents a third-party vendor compromise, where the initial attack vector originated from a supply chain vulnerability at Klue, a third-party service provider.
LastPass has confirmed the incident and is working to remediate the unauthorized access and secure affected customer information.
Remediation
- Review and revoke OAuth tokens and API credentials used by third-party integrations
- Audit Salesforce access logs for unauthorized activity and data access
- Notify affected customers of the data breach and provide credit monitoring or identity protection services
- Implement stricter OAuth token management and rotation policies
- Review and strengthen authentication requirements for critical systems and integrations
- Conduct security assessment of third-party vendor integrations and their security posture
Sources
- LastPass confirms data breach in Klue supply chain attack · BleepingComputer
Cite this entry
"LastPass confirms data breach in Klue supply chain attack." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 23, 2026; last updated June 23, 2026. https://supplychainattack.org/incident/lastpass-confirms-data-breach-in-klue-supply-chain-attack-xn6omg
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activehigh
Context.ai OAuth Token Compromise
Context.ai OAuth tokens were compromised, allowing attackers to conduct supply chain attacks through trusted SaaS integrations. Details on scope, timeline, and remediation steps are not provided in the source text.
OtherAccount takeoverThird-party vendor breach - activecritical
15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers
A coordinated 8-month supply chain attack compromised 15 malicious JetBrains plugins on the official JetBrains Marketplace, stealing AI API keys from approximately 70,000 developers. The credential-stealing code exfiltrated OpenAI, DeepSeek, and SiliconFlow API keys to an attacker-controlled server in Beijing, which remained operational at the time of disclosure.
OtherCompromised packageMalicious maintainer - containedhigh
OptinMonster WordPress plugin hacked in CDN supply-chain attack
OptinMonster, TrustPulse, and PushEngage WordPress plugins were compromised in a supply-chain attack targeting Awesome Motive's content distribution network (CDN). The compromise affected plugin distribution and delivery to end users.
Container registryOtherUpdate-server compromise - containedhigh
400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security
On June 11, 2026, attackers hijacked over 400 packages in the Arch User Repository (AUR), converting them into a malware delivery network. The "Atomic Arch" campaign represents a large-scale compromise of developer accounts or package maintainers within the Arch Linux ecosystem.
Atomic ArchOtherAccount takeoverMalicious maintainer