LastPass confirms another customer data breach. Developers react: “Again?”

On June 23, 2026, LastPass confirmed that an attacker accessed customer data in its Salesforce environment after compromising Klue, a third-party market intelligence service used by the password manager's go-to-market teams.

According to LastPass's incident report, the company learned about the incident on June 12, 2026. The attacker obtained OAuth tokens held by Klue for many customers and used the LastPass token to access data stored in Salesforce.

The exposed information may include customer names, phone numbers, email and physical addresses, support case data, and sales-related CRM records. LastPass says its products, services and infrastructure were not affected. It also says customer vaults remain secure and that there is no evidence the attacker accessed data from Gong, another service connected to Klue.

So this is a real LastPass data breach, but not a repeat of the 2022 vault theft. That distinction matters technically. Judging by the response on developer forums, it matters much less to LastPass's remaining reputation.

The breach came through a trusted OAuth integration

Klue connects to systems such as Salesforce and Gong so sales and marketing teams can work with customer and market data. That connection relied on OAuth tokens, which let the service access approved systems without repeatedly asking for a password.

Klue's own incident update says the attacker entered through a compromised legacy credential associated with an integration service. According to a timeline published by Huntress, the attacker then pushed malicious code into Klue's backend to collect OAuth tokens for connected services. Those tokens were used to query customer systems and copy data. Klue says it later removed the unauthorized code.

The Icarus extortion group claimed responsibility. It is a relatively new name, active since late April 2026, but the Klue compromise gave it a route into the connected environments of many companies. A partial list of reported victims includes HackerOne, Recorded Future, Tanium, Gong, Jamf, Snyk, OneTrust, Sprout Social and Huntress. BleepingComputer has also reported Insurity among the affected organizations.

Salesforce also disabled the connection between its platform and the Klue Battlecards app after detecting unusual activity. Salesforce said the incident originated in the Klue app connection rather than a vulnerability in Salesforce itself.

LastPass has discontinued employee access to Klue, rotated the exposed tokens, contacted law enforcement and worked with Klue and Salesforce on the investigation.

For affected customers, the immediate risk is phishing rather than password decryption. Support cases and CRM records can give an attacker enough context to write a convincing email or make a believable support call. LastPass says it will never ask for a master password and warns customers to treat unsolicited messages carefully.

Developers responded with exhaustion, migration stories and one important correction

The story reached Hacker News on June 23 and drew a modest discussion. The larger reaction appeared in an r/Bitwarden thread, which had more than 300 votes and 50 comments within its first day.

The dominant response was not a technical argument about OAuth. It was a weary sense that LastPass had appeared in another breach headline.

u/PM_ME__YOUR__MILKERS commented on Reddit: “(again)”

That one-word comment became the most upvoted response in the thread. Another highly rated comment described the business consequence of the 2022 incident.

u/970KeW commented on Reddit: “Oh wow, again. We switched our business to Bitwarden after the second one in 2022.”

On Hacker News, the reaction was similarly blunt and focused on migration rather than remediation.

suprjami commented on Hacker News: “It’s called LastPass because it should be the last choice when selecting a password manager.”

Another highly rated comment focused on the irony of a credential-security company appearing in another story involving stolen access tokens.

u/Mondo-Shawan commented on Reddit: “A company who keeps people's access credentials secure can't keep thier [sic] own access credentials secure.”

The wording is not quite accurate: the credentials were OAuth tokens held by Klue, rather than LastPass employee passwords. A commenter in a separate r/technology thread made that distinction directly:

u/raunchyfartbomb commented on Reddit: "Klue was the initial target. The stolen token then provided access to LastPass's Salesforce data."

This was not evidence that LastPass's vault encryption had failed.

LastPass now has a trust problem larger than this incident

The 2022 breach changed how developers interpret any new LastPass security story. In that incident, attackers stole backups of customer vaults along with other account information. The company was also criticised for how slowly the full scope became clear.

The damage did not stop when the breach was disclosed. Because the stolen vaults could be attacked offline, vaults protected by weak master passwords remained exposed to cracking attempts for years. TRM Labs traced more than $35 million across a campaign of wallet drains during 2024 and 2025, and said that was probably only part of the total.

A separate case was much larger. In January 2024, attackers stole $150 million from a crypto wallet belonging to Ripple co-founder Chris Larsen. A federal forfeiture filing reported in March 2025 linked that heist to private keys recovered from a password-manager vault stolen in 2022. Investigators subsequently seized more than $23 million of the stolen cryptocurrency. That history explains why many developers read a narrower third-party incident as part of the same trust problem.

The Klue incident is narrower. It affected business contact, support and CRM data through a third-party integration. But users do not evaluate each breach in isolation, especially when deciding where to store credentials for production systems, cloud accounts and source-code repositories.

That is why the developer reaction matters here. Several commenters did not discuss whether LastPass rotated the right tokens or whether Klue should have held them differently. They discussed when they left, which password manager replaced it, and why they would not return.

For engineering teams, the incident is also a reminder that SaaS integrations become part of the security boundary. An OAuth token granted to a sales tool may reach support cases containing technical details, customer identities or information useful for impersonation. Teams should review which third-party apps can access CRM and support systems, reduce token scopes where possible, remove unused integrations and monitor API activity for unusual exports.

Credentials, API keys and recovery secrets should not be placed in support tickets. Once support data is copied into a CRM or shared with another integration, it may travel through a much larger system than the user who opened the ticket can see.

LastPass says the vault remained secure this time. The difficult part is that many developers stopped giving the company the benefit of “this time” years ago.