LastPass Hit Again: How a Forgotten Credential Unlocked Hundreds of Companies’ CRM Data

LastPass has confirmed yet another data breach, its second major incident in four years. This time, the company wasn’t directly attacked. Hackers got in through the back door: a third-party market intelligence platform called Klue. But the real story isn’t about LastPass. It’s about a single abandoned credential that brought down dozens of companies at once.

The attack: one credential to rule them all

The attackers first gained access to Klue’s backend infrastructure on June 11 using a long-dormant API credential originally created for an abandoned third-party integration prototype. Klue had once built a prototype integration, decided not to ship it and never cleaned up the credential. That ghost key sat quietly in their systems for years, until someone found it.

From there, the attackers pushed a malicious code update designed to harvest OAuth tokens that Klue’s customers used to connect the platform to Salesforce, HubSpot, SharePoint, Zoom, Gong, Google Drive, and Slack. Those tokens are the digital equivalent of a master key — no password, no MFA, no phished employee required.

The exfiltration: slow burn, then a burst

The data theft wasn’t a smash-and-grab. The attackers began with a slow, steady pull designed to blend in with routine integration traffic, before shifting into high-velocity burst mode. Investigators observed a concentrated surge of nearly 1,000 queries in a single 15-minute window, using automated Python scripts to siphon CRM data at scale. The activity ran for approximately 24 hours, a window invisible without API-layer logging.

LastPass: the latest domino to fall

LastPass confirmed that hackers accessed support cases containing customer data from its Salesforce environment. Products, services, and infrastructure were not affected, and customer vaults remained secure. The data potentially exposed:

• Customer names
• Phone numbers
• Email & postal addresses
• Support case contents
• Sales & CRM data
• Master password not exposed

Icarus is now using stolen contact data to run targeted phishing campaigns. Stolen contact details and support history are more than enough to craft convincing, personalized scams. Over a dozen organizations have confirmed impact, including Jamf, OneTrust, Sprout Social, Insurity, Pendo, and 8×8. Hundreds of Klue customers are likely affected in total.

The Icarus extortion group

Icarus has been active since late April 2026. After compromising Klue, they emailed affected organizations, warning that their Salesforce data had been downloaded and giving them 48 hours to negotiate or face public exposure on the group’s dark web leak site. Their approach is calculated: rather than targeting one company at a time, they compromised a single vendor and inherited access to its entire customer base in one move.

LastPass’s second major breach in four years

The 2022 breach exposed encrypted vault backups after attackers compromised a senior DevOps engineer’s personal machine an attack that enabled an estimated $35 million in cryptocurrency theft as attackers brute-forced vaults with weak master passwords. The 2026 incident is structurally different, no vault data was taken, but the pattern of recurring third-party exposure raises serious questions about supply chain governance.

What this means for the industry

The Klue incident is a textbook illustration of the “NHI blind spot”, non-human identities (service accounts, integration tokens, API credentials) operating with broad permissions and almost no oversight. SaaS supply chain breaches are accelerating. Compromising one vendor means access to hundreds of enterprise environments at once, yet these integrations are typically monitored far less closely than employee accounts.

Every SaaS tool you’ve ever granted CRM access to is a potential entry point, not because of what that tool does, but because of what happens when someone compromises the vendor behind it.

What you should do now

Action checklist

1. 1. Audit your OAuth grants. List every third-party app with CRM access. Revoke anything you don’t actively use.
2. 2. Review your Salesforce API logs. Look for unusual query volumes around June 11–13, 2026. Cross-reference with IOCs published by Klue and LastPass.
3. 3. Rotate all tokens tied to Klue integrations. Even without signs of compromise, rotation is the safe default.
4. 4. Hunt for dormant credentials. The original entry point was a credential no one remembered existed. Audit integration service accounts regularly.
5. 5. Be alert to phishing. Icarus has names, emails, phone numbers, and support histories. Spear-phishing attempts will look unusually credible. Brief your team.

The bottom line

The Klue breach didn’t require a zero-day vulnerability, a nation-state attacker, or a sophisticated phishing campaign. It required one forgotten API credential, a malicious code push, and 24 hours of automated queries.

In 2026, your attack surface doesn’t end at your perimeter it ends at the perimeter of every vendor who holds a token connected to your systems. Talk to us for more.