LastPass customer data stolen through Klue vendor

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- LastPass notified customers that personal information and customer support case records were stolen through a breach at market research vendor Klue, not LastPass's own systems, according to an email shared with TechCrunch.
- Klue's breach has also hit other cybersecurity companies including HackerOne, Recorded Future, and Tanium, per LastPass's blog post disclosing the incident.
- Stolen data includes names, phone numbers, email addresses, physical addresses, customer support case data, and sales-related data, and support tickets likely contain fragments of private or sensitive information such as credentials or government-issued identity documents.
- Klue CEO Jason Smith said the company identified hackers in its systems on June 12, and extortion group Icarus has claimed credit, publicly threatening to release the stolen data if a ransom is not paid.
- LastPass stressed its own infrastructure — including customer password vaults — was unaffected; the company reports more than 33 million users and roughly 1.6 million paying customers as of 2024.
- LastPass previously suffered a 2022 breach in which hackers stole the company's encrypted password vaults, later cracking the weakest master passwords offline and enabling several crypto thefts.
Why it matters: With 33 million users and 1.6 million paying customers, LastPass faces its second major breach in three years, this one exposing support ticket data the source notes likely contains credentials or government IDs — compounding trust damage after the 2022 vault theft.




