LastPass says hackers stole customer support data in Klue breach
▼ Summary
– LastPass notified customers that a breach at its technology partner Klue led to the theft of personal information and customer support case records.
– Hackers stole names, phone numbers, email addresses, physical addresses, and customer support case data, but LastPass’s own infrastructure and password vaults were unaffected.
– Other cybersecurity companies affected by the Klue breach include HackerOne, Recorded Future, and Tanium.
– LastPass had a previous major breach in 2022 where hackers stole encrypted password vaults, leading to crypto thefts from cracked weak master passwords.
– The hacking group Icarus claimed responsibility for the Klue breach and threatened to release stolen data if ransom demands are not met.
Password management firm LastPass has informed users that their support records and personal details were compromised during a security incident at a third-party technology partner, marking yet another data breach for the company in recent years.
According to an email shared with TechCrunch by an affected customer, the breach originated at market research company Klue, not within LastPass’s own network. Despite this, attackers exploited their unauthorized access to extract a substantial amount of customer data.
This incident places LastPass among a growing roster of cybersecurity firms impacted by the Klue breach, which the vendor disclosed last week. Other affected organizations include HackerOne, Recorded Future, and Tanium.
In a blog post detailing the event, LastPass stated that the stolen information includes customer names, phone numbers, email addresses, physical addresses, plus records from customer support cases and sales-related data. The company emphasized that its own infrastructure remained secure, including users’ password vaults.
The exact contents of the customer support tickets remain unclear, though such records often contain fragments of sensitive or private information. Customers typically reach out to support for billing issues or account access problems. In past incidents, support tickets have included credentials and government-issued identification documents.
LastPass did not immediately respond to TechCrunch’s request for comment, nor to questions about the number of customers affected. As of 2024, the company reports over 33 million users and approximately 1.6 million paying subscribers.
This latest breach follows a major 2022 incident, where hackers stole the entire cache of customer password vaults. Although those vaults were encrypted with master passwords known only to users, attackers were able to brute-force crack weaker passwords offline, accessing sensitive credentials like passwords, tokens, and credit card numbers. Several cryptocurrency thefts were later linked to that breach, with suspects believed to have accessed wallet keys by cracking password vaults.
Klue CEO Jason Smith disclosed in a blog post that the company detected intruders in its systems on June 12. A hacking and extortion group calling itself Icarus has claimed responsibility, publicly threatening to release the stolen data unless a ransom is paid. Smith has not responded to TechCrunch’s inquiries about the number of affected customers or whether the company has communicated with the hackers.
(Source: TechCrunch)
