Technology

LastPass Hit by Supply Chain Attack via Klue, OAuth Tokens Used to Reach Salesforce Data

Martin HollowayPublished 2w ago3 min readBased on 2 sources
Reading level
LastPass Hit by Supply Chain Attack via Klue, OAuth Tokens Used to Reach Salesforce Data

LastPass Hit by Supply Chain Attack via Klue, OAuth Tokens Used to Reach Salesforce Data

LastPass has confirmed a data breach in which attackers compromised its Salesforce environment by exploiting stolen OAuth tokens obtained through a supply chain attack on Klue, a competitive intelligence platform the password-management company uses internally. LastPass disclosed the incident on its blog on 22 June 2026, with BleepingComputer reporting additional detail on 23 June 2026.

The attack vector follows a now-familiar pattern in enterprise breaches: rather than hitting LastPass directly, the threat actors targeted a third-party vendor, harvested valid OAuth tokens from that environment, and used them to authenticate laterally into LastPass's own Salesforce instance. OAuth tokens, when stolen, grant an attacker session-level access without requiring credentials — they carry the trust of an already-authenticated integration, which is precisely what makes them valuable as a pivot point.

Klue sits in the category of SaaS tooling that most mid-to-large enterprises now carry by the dozen: it ingests competitive data and surfaces it for sales and product teams. That kind of tool typically holds deep integrations into a company's CRM stack — Salesforce being the dominant one — which means a compromise at the Klue layer can translate directly into CRM access. LastPass has not publicly specified which categories of customer data were exposed within Salesforce, but a CRM environment for a password-management firm would routinely contain customer account metadata, support history, and contact records.

Worth flagging here: this is the third distinct security incident LastPass has faced in recent years, following the widely documented 2022 breaches in which source code and, later, encrypted customer vault data were exfiltrated. Each event has had a different attack surface — developer environment in 2022, now a third-party SaaS integration — which makes it difficult to characterise this as a single systemic failure. It does, however, extend a pattern that will test customer confidence further at a company whose core product proposition is that it can be trusted with credentials.

The supply chain dimension is what makes this incident structurally interesting beyond LastPass itself. Enterprise security teams have spent the past several years tightening their own perimeters while their SaaS sprawl has grown in the opposite direction. The average enterprise now operates hundreds of SaaS applications, many of them carrying OAuth or API-key integrations into crown-jewel systems like Salesforce. Auditing those integrations — knowing which third-party applications hold live tokens, what scopes those tokens carry, and whether revocation policies are in place — remains genuinely difficult at scale, because the integrations are typically provisioned by individual teams without centralised visibility.

LastPass has stated it is working with Klue and conducting its own investigation. The company has not yet published a full incident timeline, detailed scope of affected records, or confirmation of whether the Salesforce access has been fully revoked and re-secured.

For security practitioners, the immediate action items are predictable: audit active OAuth grants into Salesforce and other CRM or data-warehouse systems, enforce token rotation policies, and verify that third-party integrations are scoped to least privilege. The less tractable problem is detection — OAuth token misuse, especially when the token was legitimately issued to a vendor, can be very difficult to distinguish from normal application traffic without fine-grained anomaly detection on the Salesforce event log or equivalent audit trail.

LastPass customers — particularly enterprise accounts — should expect further disclosure as the investigation matures. Whether that disclosure will be timely and complete is, given the company's mixed record on incident transparency in 2022, a reasonable question to hold open.