Password manager maker LastPass is notifying customers that their personal information and customer support case records were stolen during a recent hack at one of its technology partners, marking the company’s latest data breach in recent years.
In an email shared with TechCrunch from an affected customer, LastPass said the breach occurred at market research firm Klue, and not its own systems. but, hackers abused their access to obtain reams of data about LastPass customers.
LastPass is the latest in a growing list of cybersecurity companies that have reported data thefts as a result of the breach at Klue, which the company disclosed last week. Several other affected companies include HackerOne, Recorded Future, and Tanium.
In a blog post that shared information about the incident, LastPass said the hackers took customers’ names, phone numbers, email addresses, physical addresses, as well as customer support case data and sales-related data.
LastPass said the company’s own infrastructure was unaffected, including customers’ password vaults.
It’s not yet known what was in the contents of customer support tickets, although they likely contain fragments of potentially private or sensitive information. Customers typically contact customer service when they are having a billing issue or need assistance in gaining access to their accounts. Past incidents involving customer support tickets have included credentials and government-issued identity documents.
Spokespeople for LastPass did not immediately respond to TechCrunch’s request for comment, or questions about the incident, including how many customers are affected by the incident.
LastPass has more than 33 million users and around 1.6 million paying customers as of 2024, according to its website.
LastPass previously experienced a data breach in 2022, in which hackers stole the company’s entire store of customer password vaults, which are used to store their sensitive credentials, such as passwords, tokens, and other personal and credit card numbers.
While the vaults were encrypted with master passwords only known to the customer, the breach allowed hackers to brute-force and crack the vaults offline with the weakest master passwords, and subsequently access the secrets inside. Several crypto thefts were later linked to the LastPass breach, after hackers were suspected of stealing the victim’s wallet keys by cracking their password vault.
Klue CEO Jason Smith said in a blog post that the company identified hackers in its systems on June 12. A hacking and extortion group called Icarus took credit for the breach, and have publicly threatened to release the stolen data if a ransom isn’t paid.
Smith has not responded to TechCrunch’s emails about the incident, including how many customers are affected or if the company has been in contact with the hackers.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
Source: techcrunch.com
