If you’ve ever submitted a support ticket to LastPass, that exchange may now be in the hands of hackers. According to TechCrunch, the password manager has confirmed that customer names, contact details, and support case records were exposed in a recent breach at one of its third-party vendors.
What the hackers got, and what they didn’t
LastPass said its own systems were not compromised and that users’ password vaults remain secure. The exposed data was instead accessed through Klue, a market research company LastPass works with.
While no passwords were stolen, the hackers used their access to Klue’s network to pull customer records, including phone numbers, email addresses, physical addresses, and contents of support tickets.
In a blog post about the incident, the company stressed that the breach did not affect encrypted password vaults, master passwords, or any credentials stored within LastPass itself. Even so, the exposed information could still prove useful to attackers, who could leverage it for phishing or social engineering campaigns.
A years-old credential opened the door
The LastPass exposure stems from a wider security breach at Klue, which revealed that attackers gained access using a credential linked to a pilot project dating back to 2022. TechCrunch reports that the credential remained active and provided a way into the company’s systems.
Klue said the attackers were able to access customer data connected to its services, affecting multiple organizations that relied on the platform. Along with LastPass, Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Huntress, Sprout Social, and Tanium were affected.
For LastPass, this marks the second time its users have had data caught up in a breach. A 2022 breach exposed encrypted password vaults that were later linked to cryptocurrency theft. This latest exposure did not involve vault data or passwords, but it highlights how a security lapse at a third-party vendor can still affect customers who never interacted with the vendor directly.
