By ByteBot
On June 12, 2026, the Icarus extortion group breached Klue — a market intelligence SaaS platform — by exploiting a forgotten legacy integration credential. Within days, this LastPass data breach 2026 incident had cost customers dearly: attackers used stolen OAuth tokens to query LastPass’s Salesforce CRM roughly 900 times, exfiltrating customer names, phone numbers, email addresses, physical addresses, and support case records. LastPass notified affected customers on June 23. Importantly, get this framing right: this is a Klue breach. LastPass was collateral damage in a supply chain attack that hit eight companies simultaneously.
How a Market Intelligence Tool Became a Supply Chain Weapon
Klue integrates with customers’ Salesforce environments via OAuth — the standard handshake that lets one SaaS platform act on behalf of another. When you connect Klue to Salesforce, you grant Klue an OAuth token. Critically, that token lives in Klue’s infrastructure, not yours. Consequently, if Klue falls, the attacker inherits that token along with every permission it carries. No password required. No MFA to bypass.
Icarus gained their initial foothold through an expired credential originally created for a prototyping project and never deactivated. From there, they deployed malicious code to harvest OAuth tokens at scale. The exploitation phase was fully automated: Python scripts with user-agent strings “Python-urllib/3.12” and “Python-urllib/3.14” ran nearly 900 queries against Salesforce API endpoints across victim environments. Moreover, this is the supply chain attack model dominating 2026 — compromise one trusted SaaS provider and inherit access to all of its customers’ connected environments. The April 2026 Vercel breach used the identical playbook via compromised Context.ai OAuth tokens.
The Blast Radius: Eight Firms Hit, Including Security Specialists
LastPass captured the headlines, but seven other confirmed victims tell the harder story. Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity, and HackerOne were all caught in the same supply chain trap. Furthermore, HackerOne — a platform whose entire purpose is managing security vulnerability disclosures — was compromised through a market intelligence integration. In short, if that does not settle the debate about whether sophisticated security teams are immune to this attack class, nothing will.
The stolen data across all victims consisted of standard CRM contents: business contacts, sales communications, pricing details, opportunity notes, and support case records. No payment card data, no passwords. Meanwhile, Icarus used compromised Australian retail domains as extortion channels and directed victims to contact them via Session Messenger — professional criminal infrastructure, not amateur opportunism.
Related: AI Agent Security: The $98M Production Gap Developers Are Ignoring
LastPass Data Breach History Makes This Landing Harder
LastPass vaults were not exposed in this incident — that distinction matters and must be stated plainly. However, it does not erase the accumulated context. In the 2022 breach, attackers stole encrypted vault backups from AWS S3 after compromising a senior DevOps engineer’s home computer via a vulnerable Plex server and using a keylogger to capture the master decryption key. As a result, those stolen vaults were subsequently cracked offline using weak master passwords, enabling cryptocurrency thefts that totaled over $150M through 2025, per FBI findings. Ultimately, LastPass settled a $24.5M class action in 2025.
Additionally, this breach adds contact and support data to an already battered trust ledger. Users migrating to Bitwarden or 1Password will point to the cumulative pattern, not this specific incident. That is a reasonable conclusion. The vaults held — but the question of whether LastPass deserves continued trust is legitimate.
Key Takeaways
- The Klue breach was a supply chain attack. LastPass’s own infrastructure was not compromised — but customer contact and support data leaked through a third-party OAuth integration.
- OAuth tokens held by SaaS vendors are attack surfaces. If your vendor is breached, attackers inherit those tokens and the access they carry — no authentication required on your end.
- Legacy credentials are a universal liability. The Klue entry point was a forgotten integration account created for prototyping. Audit and deactivate unused credentials now.
- HackerOne, Recorded Future, and Tanium were also victims — security expertise does not make you immune to supply chain OAuth exposure.
- Audit your active OAuth grants across all SaaS integrations. Revoke any Klue-related tokens immediately. For all future integrations, enforce least-privilege scoping — request only the permissions the integration actually needs.
