LastPass confirms data breach in Klue supply chain attack

LastPass announced that hackers accessed customer data from its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack earlier this month.

The password management platform says its products, services, and infrastructure were not affected by the incident and that customer vaults remained secure.

“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says.

"We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”

“The threat actor then used these credentials to access LastPass customer data within our Salesforce environment.”

The investigation into the incident did not reveal any evidence that the attacker accessed Gong-related data, which typically includes customer calls and emails.

According to LastPass, the following data may have been exposed:

• Customer names
• Phone numbers
• Email addresses
• Physical addresses
• Support case information
• Sales/CRM-related data

Attackers may leverage the above information in phishing and social engineering attacks. The general recommendation for users is to be cautious of unsolicited communications over the phone or email, especially those that request sensitive details. The master password should not be shared with anyone.

The Klue supply chain attack was claimed by the Icarus extortion group, who compromised the infrastructure of the AI-powered market intelligence platform and stole OAuth tokens that connected customers' Salesforce environments.

Icarus hackers gained access to Klue's infrastructure using compromised legacy credentials for an integration service. This gave them access to OAuth tokens that connected Klue to various third-party services.

The incident impacted multiple organizations, including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.

The threat actor exfiltrated Customer Relationship Management (CRM) data and launched an extortion campaign.

LastPass has disabled employee access to Klue, rotated the exposed API/OAuth tokens, and notified law enforcement while the investigation is underway.

The company also warned about the threat actors using the sender domains baccarat.com[.]au, robinskitchen.com[.]au, house[.]com.au, noting that only communications from the official support channels should be trusted.