Password manager maker LastPass is notifying customers that their personal information and customer support case records were stolen during a recent hack at one of its technology partners, marking the company's latest data breach in recent years. The breach occurred at market research firm Klue, not LastPass's own systems, according to an email shared with TechCrunch from an affected customer.
Details of the data theft: what was compromised
LastPass disclosed in a blog post that hackers accessed customers' names, phone numbers, email addresses, physical addresses, as well as support case data and sales-related information. The company emphasized that its own infrastructure, including customers' password vaults, remained unaffected. However, the contents of support tickets may contain fragments of sensitive information, such as credentials or government-issued IDs submitted for billing or account access issues.
Sponsored Protocol
The attack is attributed to a hacking and extortion group called Icarus, which has taken credit and threatened to release the stolen data if a ransom is not paid. Klue CEO Jason Smith stated that hackers were identified in the company's systems on June 12, but has not responded to inquiries about the number of affected customers or contact with the hackers.
Impact on LastPass users and reputation
With over 33 million users and about 1.6 million paying customers as of 2024, the potential impact is significant. Although password vaults remain encrypted, the exposure of personal and support data increases the risk of targeted phishing attacks. Users are advised to be cautious of suspicious emails or calls referencing this incident.
Sponsored Protocol
LastPass joins a growing list of cybersecurity companies that have suffered data thefts from the Klue breach, including HackerOne, Recorded Future, and Tanium. This incident highlights supply chain security vulnerabilities in the tech industry.
In the broader tech landscape, innovations like AI agent loops unveiled by Boris Cherny capture attention, but protecting user data remains a top priority.
Security history of LastPass
This is not LastPass's first data breach. In 2022, hackers stole the company's entire store of customer password vaults. While vaults were encrypted with master passwords known only to customers, the breach allowed offline brute-forcing of weak master passwords, leading to cryptocurrency thefts. The current incident does not involve vaults but underscores risks from third-party partners.
Sponsored Protocol
For more on cybersecurity, refer to the Wikipedia page on computer security.
What LastPass customers should do
LastPass recommends remaining vigilant against phishing attempts and not sharing passwords or sensitive data. If you have contacted support in the past, watch for communications that might use stolen data. Changing your master password and enabling two-factor authentication are advised.
