We want to inform our customers of a security incident which recently occurred at one of our third-party suppliers and how that incident impacts LastPass and our customers.
What Happened?
On June 12th LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams which integrates with our Salesforce and Gong systems. The incident had a broad impact across many companies including LastPass. We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass. The threat actor then used these credentials to access LastPass customer data within our Salesforce environment. Remediation has been completed, and the exposed Klue OAuth tokens have since been rotated.
It is important to note that the scope of this incident is limited to only those systems that integrate with Klue’s application. LastPass products, services, and infrastructure were not impacted in any way and customer vaults remain secure. There is also no evidence the threat actor accessed any Gong-related data.
What Information May Be Affected?
The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
What Did LastPass Do?
Upon learning of this incident, the LastPass Security and threat intelligence teams immediately launched an investigation and acted swiftly to remediate the incident. Steps taken include:
- Discontinued all employee access to Klue
- Rotated the exposed API access tokens
- Launched a detailed investigation into the scope of the event, working with our contacts at both Klue and Salesforce
- Notified and are cooperating with law enforcement
Ongoing actions include:
- Through our TIME team (Threat Intelligence, Mitigation, and Escalation), we are working with the larger security community to share information, tactics, techniques, and procedures, to help disrupt this campaign and support defenders.
- Implementing additional safeguards and strengthening protocols to defend against similar incidents in the future.
What You Can Do
We recommend that customers remain vigilant of potential phishing attacks or social engineering attempts, which could leverage exposed contact details. Always exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information.
Please remember that no one at LastPass will ever ask for your master password.
All official communication from LastPass comes through our trusted support channels.
Need Assistance or Have Questions?
If you are in need of additional support, LastPass Support teams are available via support.lastpass.com or your existing LastPass support channels. You can also contact our Security team at securitydisclosure@lastpass.com.
Appendix: Indicators of Compromise
IP Addresses:
- 138.226.246[.]94
- 94.154.32[.]160
- 159.183.215[.]61
- 159.183.181[.]239
Email Sender Domains:
- baccarat.com[.]au
- robinskitchen.com[.]au
- house.com[.]au
