LastPass Hacked Through a Software Partner: What You Need to Know

LastPass, the popular password manager, has disclosed a data breach in which hackers accessed customer information stored in Salesforce, a widely used business software platform. The hackers didn't attack LastPass directly. Instead, they compromised Klue, a separate company whose software LastPass uses internally, and stole access credentials from that platform. LastPass announced the breach on its blog on 22 June 2026, with more details reported by BleepingComputer.
How the Attack Happened
The hackers used a technique that has become common: they found a weak point not in LastPass itself, but in one of the companies it does business with. Klue is software that helps sales teams track what competitors are doing. When Klue connects to Salesforce (where LastPass stores customer data), it uses digital access tokens — think of them as temporary electronic keys that let one system talk to another. The hackers stole those keys from Klue, then used them to unlock LastPass's Salesforce environment.
Once inside Salesforce, the hackers could access customer account information, support records, and contact details. The hackers didn't have to guess passwords because they had legitimate access keys that Klue was supposed to have.
Why This Matters
Most businesses today use dozens or hundreds of different software tools, each one connected to others through access credentials. Every connection is a potential weak point. LastPass has now experienced three separate security incidents in recent years — the most famous was in 2022, when hackers stole encrypted password data and source code. Each attack came through a different route, which suggests the company has ongoing challenges with how it secures its systems and the connections between them.
The bigger picture is that nearly all companies face this problem. They use many third-party software tools, but most don't have a clear picture of which ones hold access credentials and what those credentials can do. When the hackers find one weak link, they can use it to reach more valuable targets.
What Happens Now
LastPass says it is investigating the breach together with Klue. The company has not yet released a full timeline of what happened or confirmed that all unauthorized access to Salesforce has been blocked.
For anyone using LastPass, especially businesses, the responsible move is to stay alert for further information from the company as the investigation continues. LastPass has been criticized in the past for not being fully transparent about earlier breaches, so waiting to see how the company handles disclosure this time is reasonable.

