Information Security News

Klue Supply Chain Breach Compromises LastPass Data

by ·

Diagram illustrating the Klue supply chain breach and compromised Salesforce OAuth tokens
  • Target/Victims: Klue, LastPass, Huntress, ReliaQuest, Recorded Future, and others.
  • Delivery Vector: Compromised integration service credentials from 2022.
  • Key Capabilities: Unauthorized Salesforce CRM access via stolen OAuth tokens.
  • Threat Actor: Icarus ransomware group (Suspected).
  • Source: Klue, LastPass, and affected security vendors.

A sophisticated breach targeting the market intelligence platform Klue resulted in the unauthorized exposure of LastPass customer data. Currently, LastPass is actively notifying its user base regarding this severe leakage of personal information, customer support transcripts, and sales-related materials. Consequently, the perpetrators acquired client names, telephone numbers, and both physical and electronic mailing addresses.

The Mechanics of the Klue Supply Chain Incident

On June 12, LastPass discovered a critical incident involving a third-party contractor. The company’s sales and promotional divisions utilized this contractor’s platform alongside Salesforce and Gong. The attackers successfully extracted OAuth tokens previously stored by Klue on behalf of its clientele. Subsequently, they weaponized these cryptographic keys to access LastPass data residing within Salesforce. Inherently, an OAuth token grants a connected service the continuous authority to enter corporate systems without requiring a perpetual password exchange. You can review the complete Klue supply chain incident and LastPass response for further technical context.

Isolating the Exposure and Remediation

Fortunately, the data hemorrhage remained strictly confined to services directly integrated with Klue. The core LastPass password vaults, internal infrastructure, and primary products emerged entirely unscathed. Furthermore, exhaustive forensic investigations revealed absolutely no unauthorized access to data originating from Gong. In response, LastPass immediately severed employee access to Klue and forcefully rotated all compromised API tokens. They also conducted rigorous joint audits with Klue and Salesforce while simultaneously alerting law enforcement agencies. The company officially declared all remediation efforts complete, having systematically replaced every compromised OAuth token.

We apologize for any structural changes in our distribution networks. Please continue to follow our updates on our main channels for further guidance.

Origins of the Breach: Dormant Credentials

Klue initially detected the unauthorized network activity on June 12. Investigators determined the attackers penetrated the corporate infrastructure using antiquated credentials tied to a legacy integration service. Shockingly, Klue had provisioned this specific access to an external contractor back in 2022 for a restricted pilot project. However, Klue refused to disclose the pilot’s purpose, its operational duration, or the contractor’s identity. Moreover, they failed to articulate why these highly privileged credentials remained active long after the project concluded.

At this juncture, the precise nature of the compromised data remains ambiguous. It is unclear whether the attackers secured employee login combinations, access keys, or alternative credential types. Furthermore, Klue declined to clarify whether the breach originated from their internal systems or from the external contractor’s environment. Consequently, the company is now intensely scrutinizing its credential management protocols, vendor access controls, monitoring utilities, and service deployment procedures.

Widespread Impact Across the Security Industry

The Klue intrusion severely impacted numerous prominent organizations, including Huntress, ReliaQuest, Recorded Future, Jamf, and Tanium. Sprout Social, Gong, and Insurity also publicly reported data thefts. The attackers systematically exfiltrated business contacts, commercial proposals, client correspondence, and various CRM records directly from Salesforce. Specifically, Huntress confirmed they discovered no evidence suggesting access to their proprietary threat intelligence, passwords, billing information, or core engineering systems.

Automated Exploitation and Data Exfiltration

ReliaQuest security analysts observed sophisticated automated scripts operating relentlessly for nearly 24 hours. Within one specific client environment, the malicious program transmitted approximately one thousand requests to Salesforce in just 15 minutes. Consequently, Salesforce temporarily severed the Klue Battlecards integration. They emphatically stressed that the data exposure originated exclusively through the Klue connection, not from an inherent vulnerability within the Salesforce platform itself.

The precise contents of the exposed LastPass support transcripts remain unknown. However, these communications frequently contain highly sensitive personal details. Users routinely contact support regarding billing anomalies, account recovery procedures, and other critical account-related inquiries. Therefore, LastPass urgently warned its clientele about impending phishing emails, fraudulent telephone calls, and sophisticated social engineering attempts leveraging the stolen contact information. The company reiterated that legitimate support personnel will absolutely never request a user’s master password.

Attribution and Extortion Tactics

To assist in monitoring this ongoing attack, LastPass published several indicators of compromise. These include the IP addresses 138.226.246[.]94, 94.154.32[.]160, 159.183.215[.]61, and 159.183.181[.]239, alongside sender domains such as baccarat.com[.]au, robinskitchen.com[.]au, and house.com[.]au. The Icarus ransomware syndicate publicly claimed responsibility for the Klue breach. They are currently demanding an extortion payment, explicitly threatening to publish the stolen materials. Klue has not stated whether they communicated with the extortionists or intend to capitulate to their demands.

For LastPass, this distressing incident represents yet another massive data breach in recent years. In 2022, hackers successfully exfiltrated an extensive archive containing encrypted customer password vaults. While the master passwords protected these vaults, weak passwords permitted attackers to execute offline brute-force attacks. Analysts subsequently linked several cryptocurrency thefts directly to that specific breach. Attackers presumably obtained cryptocurrency wallet keys after successfully decrypting the stolen vaults. According to official 2024 data, LastPass served over 33 million individuals, boasting approximately 1.6 million premium subscribers.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply