LastPass Says Hackers Stole Customer Support Data in Klue Breach
Password manager maker LastPass says hackers stole some of its customer support data. The theft did not happen on LastPass’s own systems. Instead, hackers broke into a company called Klue, which LastPass had hired. A password manager is an app that stores all your passwords in one safe place. The good news: LastPass says the actual password vaults, where your passwords live, were not touched. The bad news: other personal details were stolen.
This is a “supply chain” breach. That means the attackers did not hit the main target directly. They hit a smaller partner that had access to the target’s data. Here is what happened and why it matters for anyone who uses online services.
What happened?
Hackers broke into Klue, a market research firm. LastPass and several other companies used Klue’s services. Through this break-in, the attackers reached data belonging to LastPass customers. LastPass did not get hacked itself. The weak link was its outside partner.
According to the report, the hackers were spotted inside Klue’s systems on June 12, 2026. The news became public on June 23, 2026. LastPass was one of several well-known firms affected. Others reportedly include HackerOne, Recorded Future, and Tanium.
What data was stolen?
The stolen data came from customer support records. These are the notes and details a company keeps when you contact its help team. Based on the report, the stolen information includes:
- Customer names
- Phone numbers
- Email addresses
- Physical addresses
- Customer support case records and sales-related data
Importantly, LastPass said its own systems were not affected. This includes the password vaults. A vault is the encrypted box that holds all your saved passwords. “Encrypted” means scrambled so no one can read it without the key. So your stored passwords should be safe. But your contact details may now be in the wrong hands.
| Key fact | Detail |
|---|---|
| Who was hit directly | Klue (a market research firm) |
| Whose data was stolen | LastPass and other clients |
| Hackers spotted in Klue | June 12, 2026 |
| News made public | June 23, 2026 |
| Data stolen | Names, phone numbers, emails, addresses, support case data |
| Password vaults | Not affected, per LastPass |
| Group claiming the attack | “Icarus” |
Who is behind it?
A hacking group calling itself “Icarus” claimed credit for the attack. The group reportedly threatened to release the stolen data unless a ransom was paid. A ransom is money demanded by criminals in exchange for not leaking or destroying data. This kind of threat is common in modern cyberattacks.
LastPass is a large service. As of 2024 figures, it had more than 33 million users and about 1.6 million paying customers. The company has not said exactly how many customers were affected by this incident.
LastPass has been hit before
This is not LastPass’s first security scare. Back in December 2022, the company suffered a much worse breach. In that case, attackers stole the entire customer password vault database. Later, some crypto thefts were linked to hackers cracking weak master passwords from that stolen data. A master password is the single key that unlocks your whole vault.
This new incident is different and less severe, because the vaults were not touched this time. Still, the repeat trouble is a reminder that password managers are high-value targets. The same pattern of attackers targeting trusted tools appears across the tech world, including in how companies build and route AI orchestration systems that route tasks between models. Trust and security must go hand in hand.
FAQ
Were my LastPass passwords stolen?
According to LastPass, no. The company says its own systems, including password vaults, were not affected. The stolen data came from a partner’s customer support records, not from the vaults.
What is a supply chain breach?
It is when hackers attack a smaller partner or vendor to reach a bigger target. Here, hackers broke into Klue, a firm LastPass hired, to steal LastPass customer data.
What should LastPass users do now?
Stay alert for scam emails or calls that use your name and contact details. Turn on two-factor authentication, and never share your master password. When in doubt, check official LastPass updates directly.
Why it matters (especially for India / founders)
This breach is a lesson in vendor risk. Many companies, including Indian startups, hand data to outside tools and partners. If a partner is hacked, your customers’ data can leak even if your own systems are safe. Founders must check the security of every vendor they trust.
For users, stolen contact details fuel scams. Criminals can send fake emails or calls that look real because they know your name and number. This is called phishing. In India, where digital adoption is huge, such scams are a growing threat. The takeaway for everyone: treat data sharing with care, and assume any contact detail can be misused. As AI tools handle more sensitive data, securing systems like the different types of agent memory used by AI systems will matter even more.
The takeaway
The LastPass incident shows how a hack at one vendor can ripple out to many companies. The stolen data, names, emails, phone numbers, and addresses, can power scams, even though the password vaults stayed safe. The bigger message is clear: in today’s connected world, your security is only as strong as the weakest partner you trust.
