LastPass, a prominent password manager provider, has begun notifying customers that their personal information and customer support records were stolen during a recent cyberattack on one of its technology partners, market research firm Klue. This incident marks another data breach for LastPass in recent years, though the company asserts its core password vault infrastructure remains secure.

The breach, which Klue disclosed last week, allowed hackers to access a significant amount of data pertaining to LastPass customers. The compromised information includes names, phone numbers, email addresses, physical addresses, as well as customer support case data and sales-related information. While the exact contents of the support tickets are unknown, they often contain sensitive details related to billing issues or account access assistance. The hacking and extortion group Icarus has claimed responsibility for the Klue breach and has publicly threatened to release the stolen data if a ransom is not paid.

Klue’s systems were identified as compromised on June 12, and the incident has affected a growing list of cybersecurity companies beyond LastPass, including HackerOne, Recorded Future, and Tanium. LastPass, which serves over 33 million users and approximately 1.6 million paying customers, emphasizes that its own internal systems and, critically, customer password vaults, were not directly impacted in this particular breach.

This event follows a significant data breach in 2022 where LastPass’s entire store of customer password vaults was stolen. Although those vaults were encrypted, the previous breach allowed attackers to potentially crack weaker master passwords offline, leading to subsequent crypto thefts. The current incident, while not affecting the vaults, highlights the persistent challenges and risks associated with third-party vendor security in the digital landscape.

Key Takeaways

• Personal and support data of LastPass customers were stolen through a breach at their technology partner, Klue.
• The compromised data includes names, contact information, physical addresses, and customer support case details, but LastPass's password vaults remain secure.
• The hacking group Icarus claimed responsibility for the Klue breach, which also impacted other cybersecurity firms like HackerOne and Recorded Future.

Editor’s Analysis & Impact

This incident underscores the escalating risk of supply chain attacks, where vulnerabilities in third-party vendors can compromise even robust cybersecurity companies. For LastPass, a firm built on trust and security, this breach—even if not directly on their core systems—further erodes customer confidence, especially following their significant 2022 vault breach. The market may react with increased scrutiny on vendor security protocols across the tech industry, potentially leading to more stringent due diligence requirements for partnerships. Companies like Klue, which handle sensitive client data, will face immense pressure to enhance their defenses. The broader implication is a heightened awareness that a company’s security is only as strong as its weakest link in its extended network, pushing for industry-wide improvements in third-party risk management and incident response.

Frequently Asked Questions

Q: What data was stolen in this LastPass incident?
A: Names, phone numbers, email addresses, physical addresses, customer support case data, and sales-related data belonging to LastPass customers were compromised through the breach at Klue.

Q: Were LastPass password vaults affected in this breach?
A: No, LastPass has stated that its own infrastructure, including customer password vaults, was unaffected by this particular incident at Klue. This breach primarily involved customer support and personal contact information.

Q: Which company was responsible for the data breach?
A: The data breach occurred at Klue, a market research firm and technology partner of LastPass. The hacking and extortion group Icarus has claimed responsibility for the attack on Klue.