Password manager maker LastPass is notifying its customers that their personal information and customer support case records were stolen during a recent attack on one of its technology partners, marking the company’s latest data breach in recent years.
In an email shared with TechCrunch by an affected customer, LastPass said the breach occurred at market research firm Klue, and not its own systems. However, hackers abused their access to obtain a large amount of data on LastPass customers.
LastPass is the latest in a growing list of cybersecurity companies that have reported data thefts as a result of the Klue breach, which the company disclosed last week. Various others Affected companies include HackerOne, Recorded Future and Tanium..
In a blog post which shared information about the incident, LastPass said hackers took customers’ names, phone numbers, email addresses, and physical addresses, as well as customer service case data and sales-related data.
LastPass said the company’s own infrastructure was not affected, including customer password vaults.
It is not yet known what was in the contents of the customer support tickets, although it is likely that they contain fragments of potentially private or confidential information. Customers often contact customer service when they have a billing issue or need help accessing their accounts. Previous incidents involving customer support tickets have included credentials and government-issued ID cards.
Spokespeople for LastPass did not immediately respond to TechCrunch’s request for comment or questions about the incident, including how many customers are affected by the incident.
LastPass has more than 33 million users and about 1.6 million paying customers in 2024, according to its website.
last pass previously experienced a data breach in 2022in which hackers stole the company’s entire customer password vault store, which is used to store their sensitive credentials such as passwords, tokens, and other personal and credit card numbers.
While the vaults were encrypted with master passwords that only the customer knew, the breach allowed hackers to brute force and decrypt the vaults offline with the weaker master passwords and subsequently access the secrets they contained. Subsequently, several cryptocurrency thefts occurred. linked to LastPass breachafter hackers were suspected of stealing the victim’s wallet keys by cracking his password vault.
Jason Smith, CEO of Klue, said in a blog post that the company identified the hackers in their systems on June 12. A hacking and extortion group called Icarus took credit for the breach and publicly threatened to reveal the stolen data if a ransom is not paid.
Smith did not respond to emails from TechCrunch about the incident, including how many customers were affected or whether the company has been in contact with the hackers.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
