Password manager LastPass says hackers stole customer support case data during Klue breach

Password maker LastPass is informing customers that their personal information and customer support case records were stolen during a recent hack at one of its technology partners, marking the company’s latest data breach in recent years.

In an email shared with TechCrunch from an affected customer, LastPass said the breach occurred at market research firm Klue, not its own systems. However, hackers have abused their access to obtain information about LastPass customers.

LastPass is the latest in a growing list of cybersecurity companies that have reported data theft as a result of the Klue breach, which the company disclosed last week. Several other companies affected include HackerOne, Recorded Future, and Tanium.

In a blog post that shared details about the incident, LastPass said the hackers took customer names, phone numbers, email addresses, residential addresses, as well as customer support case details and sales-related data.

LastPass said the company’s infrastructure was not affected, including customers’ passwords.

It is not yet known what the customer support tickets contained, although they may contain pieces of potentially confidential or sensitive information. Customers usually contact customer service when they have a payment problem or need help accessing their accounts. Past incidents involving customer support tickets have involved verification letters and government-issued identification.

LastPass spokespeople did not immediately respond to TechCrunch’s request for comment, or questions about the incident, including how many customers were affected by the incident.

LastPass has more than 33 million active users and nearly 1.6 million paying customers as of 2024, according to its website.

LastPass previously experienced a data breach in 2022, when hackers stole the company’s entire customer password store, which is used to store their sensitive information, such as passwords, tokens, and other credit card numbers.

While the vaults were encrypted with passwords known only to the customer, the breach allowed hackers to brute force and hack the vaults offline with weak master passwords, and later access the secrets inside. Several crypto thefts were later linked to LastPass breaches, after hackers were accused of stealing a victim’s wallet keys by cracking their password.

Klue CEO Jason Smith said in a blog post that the company identified hackers in its systems on June 12. The hacker group and Icarus boasted of the breach, and publicly threatened to release the stolen data if a ransom was not paid.

Smith has not responded to TechCrunch’s emails about the incident, including how many customers were affected or if the company had contacted the hackers.