HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

LastPass Customer Data Exposed via Stolen OAuth Tokens in Klue Supply‑Chain Attack

Attackers compromised the market‑intelligence platform Klue, stole OAuth tokens, and used them to extract LastPass CRM data from Salesforce. The breach highlights the importance of SOC 2 vendor‑management controls and continuous token‑lifecycle monitoring for audit readiness.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
helpnetsecurity.com

LastPass Customer Data Exposed via Klue Supply‑Chain OAuth Token Compromise

What Happened – Attackers breached the market‑intelligence platform Klue and stole OAuth tokens that Klue used to access its customers’ Salesforce environments. Using those tokens, the threat actors extracted LastPass CRM records—including names, phone numbers, email addresses, physical addresses, and support case details—stored in Salesforce. The incident was limited to the integrated systems and did not affect LastPass vaults or core services.

Why It Matters for Compliance & Audit Readiness

  • SOC 2 vendor‑management controls (CC6.1) require continuous due‑diligence and evidence that third‑party integrations are securely provisioned and monitored.
  • A supply‑chain credential compromise demonstrates the need for real‑time token‑lifecycle monitoring as audit evidence of control effectiveness.
  • Documented response actions (token revocation, access revocation, indicator sharing) provide the kind of defensible trail auditors expect for a “security incident” clause.

Who Is Affected – SaaS password‑manager providers, market‑intelligence platforms, CRM and sales‑automation vendors, and their enterprise customers (technology, security‑services, and broader B2B sectors).

Recommended Actions

  • Review and tighten third‑party OAuth token issuance policies; enforce least‑privilege scopes and short‑lived tokens.
  • Map the incident to SOC 2 CC6.1 (Vendor Management) and CC7.1 (System Operations) controls, collect evidence of token rotation and revocation.
  • Implement continuous monitoring of third‑party API activity and integrate alerts into your audit‑ready evidence repository.

Technical Notes – The breach leveraged stolen OAuth access tokens (credential compromise) from Klue’s integration with Salesforce. Exposed data comprised standard business contact information and sales‑related CRM records. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/06/24/lastpass-klue-data-breach-salesforce-environment/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →