LastPass says a security incident at Klue, a third party market intelligence platform used by its go to market teams, led to unauthorized access to customer data inside the LastPass Salesforce environment.
In its incident response post, LastPass said it learned on June 12, 2026 that a threat actor had obtained OAuth tokens Klue held for many customers, including LastPass. The company said those credentials were then used to access limited customer data.
This is a useful TPRM case because the initial failure happened outside LastPass, but the real business impact showed up inside a connected SaaS environment. That is exactly how many third party incidents spread now.
What LastPass disclosed
Klue held OAuth tokens tied to customer systems
LastPass said the supplier incident allowed an unauthorized actor to obtain OAuth tokens that Klue held for many customers, including LastPass.
The exposed data was business contact and CRM data
LastPass said the affected information was limited to customer names, phone numbers, email addresses, physical addresses, support case data, and sales related CRM data.
Core products and vaults were not impacted
LastPass said its products, services, infrastructure, and customer vaults were not affected and that there was no evidence Gong related data was accessed.
Why this is a third party risk story
The supplier had live integration access
The case shows how a supplier can become part of your access boundary when it holds tokens, syncs with SaaS platforms, or can pull data from customer systems.
The blast radius followed the integration path
The problem was not only that Klue was breached. The important issue is that the stolen tokens could open a path into connected systems where customer data already lived.
Customer phishing risk rises after contact data exposure
LastPass warned customers to stay alert for phishing and social engineering attempts, which is a common second stage risk after support and contact data is exposed.
What TPRM teams should review now
Which suppliers hold tokens or connected access
Analysts should ask vendors to identify every supplier that can hold OAuth tokens, API keys, or similar credentials tied to customer environments or high value internal platforms.
How fast can tokens be rotated
LastPass said the exposed Klue OAuth tokens were rotated. TPRM teams should ask vendors how quickly they can discover, revoke, and replace live integration credentials after a supplier event.
What data can suppliers reach through each integration
A supplier that only enriches sales workflows can still expose names, contact details, support records, and internal notes. That data mapping should be clear before an incident occurs.
Control improvements worth looking for
Least privilege integration design
Suppliers should not receive broad, long lived access by default. Stronger scoping around what a token can reach reduces the impact when a partner is compromised.
Central token inventory and ownership
Vendors need a live record of which suppliers hold which credentials, who approved them, what systems they touch, and how they are monitored.
Customer communication tuned for follow on fraud risk
When support and contact data is exposed, customers need direct warning about phishing, impersonation, and what the vendor will never ask them to share.
Practical checklist
- Identify which third parties hold live OAuth tokens or API keys
- Review what data each connected supplier can reach
- Test token rotation and revocation speed after a supplier incident
- Limit integration permissions to the minimum needed
- Require clear notice obligations for supplier breaches
- Prepare phishing and impersonation guidance for affected users
- Reassess vendors that cannot map supplier access cleanly
Analyst takeaway
The LastPass case shows that supplier risk is often access risk. If a third party can hold tokens into a SaaS environment, your TPRM review needs to cover credential scope, rotation speed, and customer communication before the next connected breach arrives.
FAQ
What caused the LastPass incident
LastPass said a threat actor obtained OAuth tokens held by Klue, a third party supplier, and then used those credentials to access limited customer data in Salesforce.
What data was reportedly affected
LastPass said customer names, phone numbers, email addresses, physical addresses, support case data, and sales related CRM data were affected.
Why should TPRM analysts care about this case
It shows how a supplier with integration access can create downstream exposure inside another vendor environment even when the breached supplier is not customer facing.