UpTrajectory Review
LastPass has recently reported a security breach involving Klue, a third-party platform that integrates with its services. This incident has raised concerns for small business owners who rely on LastPass for password management, as sensitive customer data may have been compromised. The breach involved unauthorized access to OAuth tokens, which allowed hackers to infiltrate LastPass' Salesforce environment and access customer information.
For small business operators, this breach serves as a stark reminder of the vulnerabilities inherent in digital tools. While LastPass assures that its core products and customer vaults remain secure, the exposure of customer data such as names and contact details can have serious implications for trust and reputation. It's crucial for business owners to stay vigilant, review their cybersecurity protocols, and consider additional layers of protection, especially when using third-party integrations.
“LastPass confirmed the hackers were able to steal sensitive customer data such as 'names, phone numbers, email addresses, physical addresses, as well as support case data and sales-related data' from Klue.” — Fast Company
Takeaway: Review your cybersecurity measures and ensure your customer data is protected, especially when using third-party services.
From the original item — Fast Company:
LastPass, a password manager maker, is informing customers of a recent security breach at third-party market intelligence platform Klue, and how it impacts its customers, according to a recent blog post.
A subsidiary of Boston-based LogMeIn, LastPass, which creates and stores complex passwords in encrypted wallets, is one of several cybersecurity companies affected by the Klue hack, which includes Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium, per TechCrunch.
Here’s what to know.
On June 12, Klue informed LastPass of the data breach, and upon immediately launching an investigation, learned that “an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”
Klue’s platform integrates with both Salesforce and Gong systems.
The hackers used these credentials to access LastPass customer data “within [its] Salesforce environment . . . and the exposed Klue OAuth tokens have since been rotated.” (Salesforce databases can be a target for hackers because many companies store customer information there, according to TechCrunch.)
LastPass confirmed the hackers were able to steal sensitive customer data such as “names, phone numbers, email addresses, physical addresses, as well as support case data and sales-related data” from Klue.
However, “LastPass products, services, and infrastructure were not impacted in any way, and customer vaults remain secure,” it says.
Fast Company has reached out to LastPass for additional information.
The incident comes just four years after LastPass’ previous data breach. In 2022, hackers stole its customers’ encrypted passwords, which resulted in a payout $24.5 million to those affected, per PCMag.
Lastpass recommends customers remain vigilant of potential phishing attacks or social engineering attempts, which could leverage exposed contact details. It also recommends always exercising caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information.
The company also shared the following IP addresses and email sender domains associated with the attack:
IP addresses:
Email sender domains:
Customers who have additional questions can contact support.lastpass.com or securitydisclosure@lastpass.com.