Skip to main content
Home/Blog/Your Vendor Just Breached Your Password Manager — And You've Never Heard of Them
Cybersecurity

Your Vendor Just Breached Your Password Manager — And You've Never Heard of Them

LastPass was breached this week — not through LastPass itself, but through a vendor called Klue that nobody outside of go-to-market teams knew existed. Here's what that means for your business.

June 25, 2026·7 min read

Last week, LastPass notified customers that their personal information had been stolen. Names, email addresses, phone numbers, physical addresses, and the contents of customer support cases — all taken.

Here's the part that should keep business leaders up at night: LastPass itself wasn't hacked.

The breach didn't come from LastPass's own infrastructure. It didn't come from a flaw in the password manager product. It came from a company called Klue — a market intelligence platform used by LastPass's go-to-market team — that had accumulated OAuth tokens granting access to LastPass's Salesforce environment.

An extortion group called Icarus compromised Klue using legacy credentials. From there, they grabbed the OAuth tokens Klue held for dozens of its customers. And with those tokens, they walked right into the Salesforce environments of LastPass, HackerOne, Recorded Future, Tanium, Jamf, Snyk, OneTrust, Sprout Social, and Huntress — simultaneously.

Let that sink in. A single vendor breach compromised over a dozen cybersecurity companies at once.

This Is the Supply Chain Attack Pattern of 2026

I've been in cybersecurity for 25 years. The attack pattern I'm watching accelerate faster than almost anything else right now is this: attackers aren't breaking through your front door. They're finding the unlocked side door your vendor left open.

Supply chain attacks have become the defining cybersecurity threat of this era because they're devastatingly effective. Targeting a direct attack on a well-defended company takes significant resources and usually triggers defenses. Targeting the vendor who has trusted, authenticated access to that company? Entirely different story.

Klue isn't a household name. Most LastPass users — and frankly, most of LastPass's own employees outside of sales and marketing — probably had no idea the company existed. But Klue held OAuth tokens that granted direct, authenticated access to LastPass's Salesforce environment. That's not a minor integration. That's a key.

And once Icarus had the key, the locks on all those other companies became irrelevant.

The OAuth Token Problem Nobody Talks About

OAuth tokens are how modern software integrations work. When your CRM connects to your marketing platform, which connects to your customer support system, which connects to your analytics tool — all of those connections are authenticated with tokens. They're convenient, they're efficient, and they're everywhere.

They're also dangerous when accumulated by third parties you don't control.

Here's the issue: when you authorize Klue — or any vendor — to connect to your Salesforce, you're handing them a credential that lives in their system, under their security controls, accessible to their employees. When Klue gets breached, your Salesforce access goes with them.

Most organizations have no idea how many OAuth tokens are floating out there, in how many vendors' systems, granting access to what. I'd bet that if you asked your IT team right now how many third-party applications have active OAuth access to your business systems, they couldn't give you an accurate answer.

That's the problem.

What Business Leaders Should Do Right Now

This isn't theoretical. These are concrete steps you can take this week:

Conduct an OAuth token audit. Every major platform — Microsoft 365, Salesforce, Google Workspace, Slack — has an administrative view of connected applications. Pull that list. Look at what's connected, who authorized it, when it was last used, and whether it's still needed. Revoke access to anything that isn't actively required.

Treat your vendor list as an attack surface. The same due diligence you apply to your own security posture needs to extend to your vendors. What security controls does Klue have? What about your payroll processor? Your law firm? Your marketing analytics platform? These aren't hypothetical risks. They're direct connections into your environment.

Don't assume a vendor breach didn't hit you just because the vendor says so. LastPass was technically correct that their own infrastructure wasn't compromised. But customer data was stolen. The distinction matters for technical forensics; it doesn't make customers whole. When a vendor discloses a breach, investigate what access they held in your environment, not just what they say was affected.

Implement least-privilege for vendor integrations. When you connect a vendor to your systems, grant only the minimum permissions required for their function. A market intelligence platform doesn't need access to your entire CRM. Scope it down.

Rotate credentials after any vendor incident. If a vendor you use discloses any kind of security incident, rotate any tokens, API keys, or credentials they held. Don't wait for confirmation that you were specifically affected.

The Painful Truth About Third-Party Risk

Most organizations spend enormous energy securing their own environments — investing in firewalls, endpoint detection, identity management, security awareness training. All of that matters. But attackers have noticed that the direct path is increasingly difficult, and they've shifted their focus to the vendors, partners, and integrations that have trusted access to those well-defended environments.

The LastPass/Klue breach is a useful illustration, but it's far from unique. We've seen the same pattern with the Foxconn breach through Nitrogen ransomware, the One Medical healthcare breach, the Novo Nordisk clinical trial data incident, and dozens of others in 2026 alone.

The question for your organization isn't whether you trust your vendors. It's whether your vendors' security posture is strong enough to warrant the access they hold. And for most businesses, the honest answer is: we don't know.

That's not an acceptable answer anymore.

What TrustPoint Cyber Recommends

At TrustPoint Cyber, we help businesses build vendor risk management programs that go beyond checking a compliance box. We look at who has access to what, how that access is protected, what happens if a vendor is compromised, and how quickly you'd know.

If you haven't mapped your vendor attack surface recently — or ever — now is the time. The Klue breach won't be the last. The next one may go through a vendor you trust even more.

The side door is open. The question is whether you're going to find it before the attackers do.

Get Protected

Ready to strengthen your security?

TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.