LastPass is telling customers that their personal information was stolen during a recent hack, and this time the breach wasn’t on its own systems. The company says hackers got in through Klue, a market research firm it works with, and used that access to pull data on LastPass customers. The news comes from an email shared with TechCrunch by an affected customer.
LastPass has more than 33 million users and around 1.6 million paying customers as of 2024. That makes this breach significant even before you factor in the company’s troubled history with security incidents. A company that stores passwords for millions of people is an obvious high-value target, and its customers tend to hold it to a higher standard than most.
According to LastPass, the following customer data was taken in the Klue breach:
- Names
- Phone numbers
- Email addresses
- Physical addresses
- Customer support case data
- Sales-related data
The company says its own infrastructure was not affected, and that customer password vaults remain secure. That distinction matters, but it doesn’t make this incident harmless. Customer support records often contain fragments of sensitive information. People typically contact support when they have billing problems or trouble accessing their accounts, and past breaches involving support tickets have surfaced credentials and government-issued identity documents.
LastPass has not said how many customers are affected. Spokespeople did not respond to TechCrunch’s request for comment before publication.
LastPass is not alone in this. Several other well-known cybersecurity companies have been caught up in the same Klue breach, including HackerOne, Recorded Future, and Tanium. Klue CEO Jason Smith said in a blog post that the company first spotted hackers in its systems on June 12. A group called Icarus has claimed responsibility and is threatening to release the stolen data unless a ransom is paid. Smith has not responded to questions about how many customers are affected or whether the company has been in contact with the attackers.
The wider pattern here is worth noting. Hackers increasingly target vendors and partners rather than attacking major companies head-on. It’s a smarter approach: one breach at a shared supplier can expose dozens of clients at once. The Klue incident is a clear example of how a single point of failure in a company’s supply chain can ripple outward fast.
This is also not the first time LastPass has had to send bad news to its users. In 2022, hackers stole the company’s entire store of encrypted customer password vaults. While the vaults were protected by master passwords only the customer knows, attackers could take those vaults offline and try to crack them using brute force. The weakest master passwords gave way, exposing the secrets stored inside. Several cryptocurrency thefts were later linked back to that incident, with hackers suspected of cracking vaults to steal wallet keys.
That history makes this latest breach land harder than it might for another company. LastPass has spent years trying to rebuild trust, and every new incident, even one that originates elsewhere, adds to a difficult track record. For customers, the practical advice remains the same: use a strong, unique master password, enable multi-factor authentication, and stay alert to phishing attempts that could exploit the personal data now in the hands of attackers.