Password management app LastPass has confirmed that sensitive customer data was stolen in a new security incident.
Exposed data includes customers' names, phone numbers, physical addresses, and email addresses. According to LastPass, the breach originated at Klue, a third-party market intelligence service it has integrated with its own systems. Hackers obtained LastPass OAuth tokens held by Klue and used them to access customer data.
The password manager says it became aware of the incident on June 12 and has since blocked the unauthorized access. “LastPass products, services, and infrastructure were not impacted in any way, and customer vaults remain secure,” it adds.
The latest lapse isn’t as severe as the company’s 2022 breach, in which a hacker obtained copies of customers’ encrypted passwords. LastPass agreed to settle a lawsuit related to that incident by paying $24.5 million to affected customers earlier this year, and anyone who used the app before November 2022 is eligible to file a claim before July 2, 2026.
Following its latest leak, LastPass has asked customers to remain vigilant for possible phishing attempts. "Always exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information," it says. "Please remember that no one at LastPass will ever ask for your master password."
Source
Recommended Comments
Posted by Matt,
3 reactions
Go to this comment
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.