LastPass Users' Data Stolen Again in Partner Breach
Original: Security News This Week: LastPass Users Had Their Data Stolen—Again
Why This Matters
Highlights ongoing security risks for password manager users and third-party integration vulnerabilities affecting enterprise platforms.
Password manager LastPass disclosed a data breach affecting customer names, phone numbers, email addresses, and physical addresses. The compromise resulted from a breach at AI business intelligence firm Klue, whose compromised access tokens were used to extract LastPass data from integrated platforms like Salesforce.
LastPass has confirmed another significant data breach, adding to its history of security incidents. The company notified customers that attackers gained access to names, phone numbers, email addresses, physical addresses, support case data, and sales-related information. Unlike previous breaches, this compromise did not originate from LastPass's own infrastructure and did not affect customer password vaults. The attack chain involved the compromise of access tokens belonging to Klue, an AI business intelligence firm that integrates with LastPass. Attackers used these compromised tokens to access data stored in connected platforms including Salesforce. LastPass advised customers to remain vigilant against potential phishing attacks and social engineering attempts that could leverage the exposed contact details. The company emphasized that this was a partner breach rather than a direct compromise of its systems or password storage.