Password management maker LastPass is notifying customers that their personal information and customer support case files were stolen during a recent hack at one of its technology partners, marking the company’s latest data breach in recent years.
In an email shared with TechCrunch by an affected customer, LastPass said the breach occurred at market research firm Klue, not its own systems. However, hackers abused their access to obtain reams of data about LastPass customers.
LastPass is the latest in a growing list of cybersecurity companies that have reported data theft as a result of the Klue breach, which the company disclosed last week. Several other affected companies include HackerOne, Recorded Future and Tanium.
In a blog post that shared information about the incident, LastPass said hackers took customers’ names, phone numbers, email addresses and physical addresses, as well as customer support case data and sales-related data.
LastPass said the company’s infrastructure was not affected, including customers’ password vaults.
It is not yet known what the contents of the customer support bulletins contained, although they likely contain portions of potentially private or sensitive information. Customers usually contact customer service when they have a billing problem or need help accessing their accounts. Previous incidents involving customer support tickets involve credentials and government-issued identification documents.
LastPass representatives did not immediately respond to TechCrunch’s request for comment or questions about the incident, including how many customers are affected by the incident.
LastPass has more than 33 million users and about 1.6 million paying customers as of 2024, according to its website.
LastPass previously had a data breach in 2022, in which hackers stole the company’s entire store of customer password vaults, which are used to store their sensitive credentials, such as passwords, tokens, and other personal and credit card numbers.
While the vaults were encrypted with master passwords known only to the customer, the breach allowed hackers to force and crack the vaults offline with the weakest master passwords and then gain access to the secret media. Several crypto thefts occurred later linked to the LastPass breachafter the hackers were suspected of stealing the victim’s wallet keys by cracking the password vault.
Klue CEO Jason Smith said in a blog post that the company detected hackers In its systems on June 12. A hacking and extortion group called Icarus took credit for the breach and publicly threatened to release the stolen data unless a ransom was paid.
Smith has not responded to TechCrunch’s emails about the incident, including the number of customers affected or whether the company has been in contact with the hackers.
Do you know more about the Klue cyber attack? Are you a company affected by the breach? We would love to hear from you. To contact Zack Whittaker securely, contact via Signal username zackwhittaker.1337 or via email: zack.whittaker@techcrunch.com.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
