LastPass Says Hackers Stole Customer Support Case Data During Klue Breach

LastPass says hackers stole customers' personal information, support case records, and sales data by breaching market research partner Klue. The password manager told TechCrunch that its own systems and password vaults were unaffected. However, the hackers used their access to obtain "reams of data about LastPass customers," the report says.

Data Stolen

In a blog post that shared information about the incident, LastPass said the hackers took customers' names, phone numbers, email addresses, and physical addresses, as well as customer support case data and sales-related data.

It's not yet known what was in the contents of customer support tickets, although they likely contain fragments of potentially private or sensitive information. Customers typically contact customer service when they are having a billing issue or need assistance in gaining access to their accounts. Past incidents involving customer support tickets have included credentials and government-issued identity documents.

Previous Breach

The last data breach LastPass reported was in 2022, when hackers stole the company's entire store of customer password vaults.

Community Reaction

• "The expression 'when you have sex with someone, you're having sex with every one of their partners as well' appears to apply to security software providers as well."
• "I think at this point it's safe to presume that any information shared with LastPass has been compromised or will be compromised shortly. Part of that is because they're incompetent, but most of it is because there's no way for any operation to do what they've set out to do: the threat model is completely against them. What they've built is one-stop shopping for attackers, so it's worth much more time, money, attention, and risk than many other operations. Obviously attackers know this and have planned/executed accordingly. The right thing to do -- which won't happen because almost nobody does the right thing -- is to admit failure, issue refunds, and shut down."
• "There are roughly five publicly disclosed security incidents (how many not publicly disclosed?): 2011, 2015, 2016, 2017, 2022-2023, and now you can add 2026 to the list."
• "This makes the 6th data breach they have had."
• "The problem now seems to be that the company committing mass digital molestation was hacked, who should not have had anything stored, so what does it really say about LastPass? They're admitting they did not store the data using any form of acceptable security, and they've already surrendered password vaults, so will people jump ship now? Security and privacy claims are useless if you constantly demonstrate that your entire security understanding is putting the wallet inside the shoe when you're at the beach."