HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

LastPass Vendor Breach Exposes Customer Contact and Support Data via Stolen Klue OAuth Tokens

LastPass disclosed that attackers compromised OAuth tokens from its vendor Klue, gaining unauthorized access to its Salesforce CRM and extracting customer contact and support information. The incident underscores the importance of robust third‑party risk management and continuous monitoring of vendor access for SOC 2 compliance.

LiveThreat™ Intelligence · 📅 June 25, 2026· 📰 techrepublic.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
techrepublic.com

LastPass Vendor Breach Exposes Customer Contact and Support Data via Stolen Klue OAuth Tokens

What Happened — Attackers stole OAuth tokens belonging to Klue, a LastPass‑integrated vendor, and used them to access LastPass’s Salesforce environment. The intrusion allowed extraction of customer contact information and support‑case details stored in the CRM.

Why It Matters for Compliance & Audit Readiness

  • This scenario is a textbook example of a third‑party risk failure that SOC 2 vendor‑management controls are designed to detect, document, and remediate.
  • Continuous monitoring of vendor access and immutable audit evidence are essential to demonstrate due diligence during a SOC 2 audit.

Who Is Affected — SaaS providers, enterprise IT departments, and any organization that relies on LastPass for password management and integrates third‑party services (e.g., Klue, Salesforce).

Recommended Actions

  • Conduct an immediate vendor‑risk review: verify token lifecycles, enforce least‑privilege scopes, and rotate all third‑party credentials.
  • Map the incident to SOC 2 CC6.1 (Vendor Management) and CC6.2 (Monitoring of Subservice Organizations) controls; collect logs and token‑usage evidence for audit readiness.
  • Implement continuous, automated monitoring of third‑party OAuth token usage and integrate alerts into your compliance evidence repository.

Technical Notes — The breach leveraged stolen OAuth tokens (credential compromise) to bypass authentication and query Salesforce APIs, exposing contact fields (name, email, phone) and support case metadata. No public CVE is associated; the vulnerability lies in token handling and third‑party access governance.

Source: TechRepublic Security

📰 Original Source
https://www.techrepublic.com/article/news-lastpass-klue-oauth-token-salesforce-data-exposure/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →