LastPass Says Klue Security Incident Exposed OAuth Tokens and May Have Leaked Salesforce CRM Contact Data

LastPass said a security incident at third-party market intelligence platform Klue led to the theft of OAuth tokens that were then used to access LastPass’ Salesforce CRM system, potentially exposing some customer contact and support-case information.

According to ChainCatcher, the company said the compromised data may include customer names, phone numbers, email addresses, home addresses, and business contact details and CRM records related to support cases.

LastPass said its products, services, infrastructure, and customer password vaults were not affected, and that data in its Gong system was not accessed.

The company said it has taken immediate steps including cutting off employee access to Klue, rotating exposed API tokens, and launching an investigation in coordination with Klue, Salesforce, and law enforcement. LastPass also said it shared threat intelligence with the security community via its TIME team and is strengthening future protections.

LastPass urged users to remain alert for phishing emails, phone calls, or social engineering attempts that could use leaked information, and said it will never ask for a user’s master password and will communicate only through trusted channels.