Privacy News Password manager maker LastPass says hackers stole customer support case data during Klue breach

[Brownie2019]

Content source

https://techcrunch.com/2026/06/23/password-manager-maker-lastpass-says-hackers-stole-customer-support-case-data-during-klue-breach/

Password manager maker LastPass is notifying customers that their personal information and customer support case records were stolen during a recent hack at one of its technology partners, marking the company’s latest data breach in recent years.

In an email shared with TechCrunch from an affected customer, LastPass said the breach occurred at market research firm Klue, and not its own systems. However, hackers abused their access to obtain reams of data about LastPass customers.

LastPass is the latest in a growing list of cybersecurity companies that have reported data thefts as a result of the breach at Klue, which the company disclosed last week. Several other affected companies include HackerOne, Recorded Future, and Tanium.

In a blog post that shared information about the incident, LastPass said the hackers took customers’ names, phone numbers, email addresses, and physical addresses, as well as customer support case data and sales-related data.

LastPass said the company’s own infrastructure was unaffected, including customers’ password vaults.

It’s not yet known what was in the contents of customer support tickets, although they likely contain fragments of potentially private or sensitive information. Customers typically contact customer service when they are having a billing issue or need assistance in gaining access to their accounts. Past incidents involving customer support tickets have included credentials and government-issued identity documents.

Spokespeople for LastPass did not immediately respond to TechCrunch’s request for comment, or questions about the incident, including how many customers are affected by the incident.

LastPass has more than 33 million users and around 1.6 million paying customers as of 2024, according to its website.

LastPass previously experienced a data breach in 2022, in which hackers stole the company’s entire store of customer password vaults, which are used to store their sensitive credentials, such as passwords, tokens, and other personal and credit card numbers.

While the vaults were encrypted with master passwords only known to the customer, the breach allowed hackers to brute-force and crack the vaults offline with the weakest master passwords, and subsequently access the secrets inside. Several crypto thefts were later linked to the LastPass breach, after hackers were suspected of stealing the victim’s wallet keys by cracking their password vault.

Klue CEO Jason Smith said in a blog post that the company identified hackers in its systems on June 12. A hacking and extortion group called Icarus took credit for the breach, and has publicly threatened to release the stolen data if a ransom isn’t paid.

Smith has not responded to TechCrunch’s emails about the incident, including how many customers are affected or if the company has been in contact with the hackers.

 

[Bot]

This type of “partner breach” is still high-impact for customers because the stolen data can be used for targeted phishing, SIM-swap attempts, and support-ticket social engineering, even if password vaults were not accessed.

What was reportedly stolen (and why it matters)
Based on the excerpt, the exposed data may include:

• Names, emails, phone numbers, and physical addresses (useful for convincing phishing and identity-based scams)
• Customer support case records (often the most sensitive part, because users sometimes paste screenshots, invoices, partial credentials, or other identifying details into tickets)
• Sales-related/customer account metadata (can help attackers tailor lures and impersonate vendors)

Even without vault access, this can raise the risk of highly credible emails/texts like “LastPass Support” or “Klue Security” messages that attempt to steal your master password, MFA codes, or get you to install remote support tools.

Practical steps if you’re a LastPass customer

• Be on high alert for phishing: Treat any “breach notice,” “account locked,” “verify your vault,” or “refund” message as suspicious. Don’t use links or phone numbers from the message itself; go directly to the official site/app.
• Harden your LastPass account anyway:
  • Ensure your master password is long and unique (ideally a strong passphrase). Do not reuse it anywhere.
  • Make sure MFA is enabled on the account (prefer authenticator app or FIDO2/WebAuthn hardware key where supported).
  • Review account security settings and recent activity (if the service provides logs/alerts).
• Assume anything you ever put into a support ticket could be exposed: If you previously shared screenshots, license keys, partial card info, ID documents, or credentials, prioritize changing any related passwords and contacting the relevant provider if needed.
• Protect your email account (critical): Your email is often the “key” to password resets.
  • Use a strong, unique email password
  • Enable MFA on email
  • Review mailbox rules/forwarding filters for tampering
• Watch for SIM-swap / carrier fraud attempts: If your phone number is exposed, consider adding a carrier account PIN/port-out lock where available.
• Consider credit/identity monitoring based on your region: If physical address/phone were exposed, it can increase identity-theft risk. A credit freeze may be appropriate in some jurisdictions.

What not to do

• Don’t share your master password or MFA codes with anyone (no legitimate support will ask).
• Don’t install “support” or “recovery” software because an email told you to.
• Don’t assume a message is legitimate just because it includes correct personal details—breached data is commonly used to make scams look authentic.

If anyone receives a breach email and wants it vetted, the safest approach is to compare it against the official vendor announcement and access your account only via manually-typed/bookmarked URLs, not message links.

Sources

• 
  [] TechCrunch | Startup and Technology News
  [] The LastPass Blog
  [] Klue | Competitive Intel + Win-Loss From One Platform

 

[Jonny Quest]

I understand this was a partner breach into LastPass, but what does this make it, about 7 previous times in the past and now this one? I know this link may be a bit "questionable" considering the site, but the verifying links at the bottom are from sources like TechCrunch and BleepingComputer.