Password manager maker LastPass says hackers stole customer support case data during the Klue hack

Password manager maker LastPass is notifying customers that their personal information and customer support case records were stolen during a recent hack of one of its technology partners, marking the latest corporate data breach in recent years.

In an email shared with TechCrunch from one of the affected customers, LastPass said the breach occurred at market research company Klue, not its own systems. However, hackers abused their access to obtain large amounts of data about LastPass customers.

LastPass is the latest in a growing list of cybersecurity companies to report data theft as a result of the Klue hack, which the company revealed last week. Several other companies affected include HackerOne, Recorded Future, and Tanium.

In a blog post sharing information about the incident, LastPass said the hackers took customers’ names, phone numbers, email addresses, and physical addresses, as well as customer support status data and sales-related data.

LastPass said the company’s infrastructure was not affected, including customers’ password vaults.

It is not yet known what was in the contents of customer support tickets, although they likely contain pieces of private or sensitive information. Customers typically contact customer service when they have a billing issue or need help accessing their accounts. Previous incidents involving customer support tickets involved government-issued credentials and identification documents.

LastPass spokespersons did not immediately respond to TechCrunch’s request for comment, or questions about the incident, including the number of customers affected by the incident.

LastPass has more than 33 million users and about 1.6 million paying customers as of 2024, according to its website.

LastPass previously faced a data breach in 2022, in which hackers stole the company’s entire store of customers’ password vaults, which are used to store their sensitive credentials, such as passwords, tokens, and other personal credit card numbers.

Although the vaults were encrypted with master passwords that only the customer knew, the hack allowed hackers to use brute force and hack the vaults offline using the weakest master passwords, thus gaining access to the secrets inside. Several cryptocurrency thefts were later linked to the LastPass hack, after hackers were suspected of stealing the victim’s wallet keys by hacking into their password vault.

Klue CEO Jason Smith said in a blog post that the company identified hackers in its systems on June 12. A hacking and extortion group called Icarus has taken credit for the hack, and publicly threatened to release the stolen data if a ransom was not paid.

Smith did not respond to TechCrunch’s emails about the incident, including how many customers were affected or whether the company has been in contact with the hackers.