LastPass, the popular password manager, has suffered yet another data breach, this time through a vulnerability in its AI partner Klue. The incident, disclosed this week, exposed sensitive information of millions of subscribers, including names, phone numbers, email addresses, and support case data. While LastPass emphasized that the breach did not originate from its own systems, the risks are tangible: the exposed details could fuel targeted phishing campaigns.
Attack via Partner Klue: Stolen Access Tokens Compromise Salesforce Systems
The breach originated from Klue, an AI business intelligence platform. Attackers compromised Klue's access tokens and used them to harvest data from Salesforce and other integrated platforms. LastPass, as a Klue customer, saw its data exposed. This incident highlights the growing vulnerability of supply chain security. It is not the first time LastPass has faced a data leak; previous incidents raised concerns about vault protection. However, in this case, encrypted vaults remained untouched.
Sponsored Protocol
Exposed Data: Names, Addresses, and Phone Numbers Fuel Phishing
The stolen data includes personal information and support details, but not master passwords or vault contents. LastPass advised users to be vigilant against phishing attempts, unsolicited calls, or emails. The company warned that attackers might use the leaked details to impersonate support staff and trick victims into revealing sensitive credentials. This event is part of a broader trend of attacks exploiting third-party integrations, a pressing issue also in Europe, where new API restrictions have impacted Italian SMEs.
The Broader Cybersecurity Landscape in 2026
This breach is not an isolated case. The same week, Europol and Microsoft dismantled the infrastructure of the Amadey and StealC infostealers, recovering millions of stolen credentials. In Australia, intelligence agency ASIO discovered state hackers inside a critical infrastructure provider, ready to sabotage systems. These events underscore the need for constant vigilance, both for individual users and businesses. To learn more about how digital security restrictions affect businesses, read the article on OpenAI's new API restrictions in Europe.
Sponsored Protocol
To stay safe, experts recommend enabling two-factor authentication on password managers, avoiding suspicious links, and verifying official communications. LastPass is cooperating with law enforcement to identify the perpetrators, but the lesson is clear: no service is immune to indirect breaches. Trust in digital platforms must be accompanied by constant risk awareness.
Source: https://www.wired.com/story/security-news-this-week-lastpass-users-had-their-data-stolen-again
