How a Third-Party Hack Exposed Millions of LastPass Users
Here's the thing about data breaches: they rarely happen the way you'd expect. You picture hackers going straight for the big target — picking the lock on the front door. But increasingly, they're slipping in through a side window. A vendor. A partner. Some third-party tool that quietly handles market research in the background, without most users ever knowing it exists.
That's exactly what happened here.
LastPass is notifying customers that their personal information and customer support records were stolen — not from LastPass's own systems, but from a company called Klue, a market research firm that LastPass worked with as a technology partner. Klue disclosed the breach last week, and the fallout is spreading. Other companies caught in the same attack include HackerOne, Recorded Future, and Tanium — a significant list, especially given that all of them operate in the cybersecurity space.
What Information Was Taken
The data stolen isn't vague. Names, phone numbers, email addresses, physical addresses, customer support case records, and sales-related information were all taken from LastPass's customer data held within Klue's systems.
LastPass made a point of clarifying that its own infrastructure wasn't touched. Your password vault — the encrypted container holding your credentials, tokens, credit card details, and sensitive account information — remains intact. The breach didn't reach that layer.
But here's what's worth paying close attention to: customer support ticket records can quietly contain more sensitive information than most people realize. When someone contacts customer support, it's usually because something went wrong — a billing issue, an account lockout, an identity verification problem. Investigations into past support-data breaches at other companies have turned up things like login credentials and government-issued identification documents buried in ticket histories.
What was specifically inside LastPass's support records hasn't been confirmed yet.
Inside the Klue Incident
Klue CEO Jason Smith disclosed that the company first detected unauthorized access in its systems on June 12. The group claiming responsibility goes by the name Icarus — a hacking and extortion outfit that has publicly threatened to release the stolen data if a ransom isn't paid.
As of this writing, Smith hasn't publicly addressed how many customers were affected, or whether the company has engaged with the attackers.
This fits the profile of a supply chain attack, which is an increasingly common and efficient approach. Rather than targeting a company directly, attackers go after a less-secured vendor that has legitimate access to multiple clients' data. One successful compromise. Multiple victims. It's a strategy that scales — and it's genuinely hard to defend against, because the vulnerability exists in a part of the ecosystem you don't fully control.
LastPass's Difficult History Makes This Harder
This is a complicated situation for LastPass — not because they did anything wrong this time, but because they're carrying a lot of context.
In 2022, LastPass experienced what most security professionals would describe as a severe breach. Hackers stole the company's entire store of customer password vaults. Those vaults were encrypted, protected by master passwords that only customers knew. But once attackers had local copies, they could crack them offline, at their own pace, with unlimited attempts. Vaults protected by weak master passwords were vulnerable. A number of cryptocurrency thefts were later linked to the incident, with hackers suspected of cracking vaults to retrieve wallet keys stored inside.
That history doesn't make this new breach worse than it actually is. But it does make the conversation harder for a company that has over 33 million users and around 1.6 million paying customers. That's a large population of people who've placed a very specific kind of trust in LastPass — trust with access to virtually everything.
What This Means If You're a LastPass User
The good news is that your passwords aren't exposed. The password vault is safe.
What is exposed is your identity as a LastPass customer, paired with whatever you might have discussed with their support team. And that combination is genuinely useful to bad actors — not for cracking into accounts directly, but for social engineering. Someone who knows you use a password manager, knows your name, your email, your phone number, and your home address, is in a much better position to craft a convincing phishing message. They can impersonate LastPass support staff. They can target you more precisely.
If you've received a notification about this incident, it's worth being especially cautious about any follow-up communication claiming to be from LastPass — particularly anything asking you to verify your identity or reset your credentials. That's a common tactic after a known breach, because attackers know affected users are on edge and more likely to respond.
The Bigger Problem: Vendor Risk at Scale
What makes this breach worth understanding beyond the specifics is what it represents more broadly. Klue isn't a household name. Most LastPass users have probably never heard of it. It's infrastructure — the kind of company that operates quietly behind the scenes, handling data on behalf of its clients.
And that's exactly what makes it an attractive target.
The same attack hit multiple cybersecurity firms at once. That's not coincidental — it's the point. Companies in the security industry understand supply chain risk better than most. Defending against it in practice, though, is a different problem entirely. You can secure your own systems and still be exposed through a third-party you rely on.
That's a hard truth, and it's one that's becoming more relevant for every organization that depends on a network of vendors — which, at this point, is essentially all of them.