Cyber Incident Victim: LastPass
Date:
Jun 2026
Location:
United States of America
Summary
LastPass disclosed that hackers obtained customer names, phone numbers, email addresses, physical addresses, customer support case records and sales‑related data after breaching technology partner Klue, while the company’s own systems and password vaults remained unaffected. The breach at Klue was claimed by the extortion group Icarus, which threatened to release the stolen information unless a ransom was paid. The company noted that its previous incident exposed encrypted password vaults, allowing attackers with weak master passwords to brute‑force them and access stored credentials, a situation that has been linked to subsequent cryptocurrency thefts. The firm reports serving tens of millions of users, with a substantial base of paying subscribers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 12, 2026, Klue’s security team identified unauthorized access to its systems and later disclosed that a hacking and extortion group named Icarus had taken responsibility for the breach. According to Klue’s CEO Jason Smith, the intrusion was detected on that date and the group publicly threatened to release the stolen data unless a ransom was paid. LastPass subsequently informed its customers that the breach occurred at Klue, a technology partner, and not within LastPass’s own infrastructure. In an email shared with TechCrunch, LastPass stated that hackers had abused their access to Klue to obtain data about LastPass customers. The company noted that it was among several cybersecurity firms, including HackerOne, Recorded Future and Tanium, that reported data thefts stemming from the Klue incident.
LastPass disclosed that the compromised information included customers’ names, phone numbers, email addresses, physical addresses, customer support case data and sales‑related data. The company said its own systems, including the encrypted password vaults, remained unaffected by the Klue breach. LastPass added that the exact contents of the stolen support tickets were not yet known, although such tickets often contain fragments of private or sensitive information and customers typically contact support for billing or account‑access issues. The article notes that previous incidents involving support tickets have exposed credentials and government‑issued identity documents. For context, LastPass experienced a separate breach in 2022 in which attackers copied the entire set of customer password vaults, which are encrypted with master passwords known only to the users, and later used brute‑force attacks to access some vaults, a breach that was linked to subsequent cryptocurrency thefts.
In response to the Klue‑related incident, LastPass sent notifications to affected customers and published a blog post detailing the scope of the stolen data. The company’s spokespeople did not reply to TechCrunch’s requests for comment or to questions about the number of customers impacted. Klue’s CEO Jason Smith likewise did not respond to TechCrunch’s inquiries regarding the scale of the breach or any communication with the extortion group. LastPass reported that it serves more than 33 million users and approximately 1.6 million paying customers as of 2024, providing a sense of the potential scale of exposure. The narrative ends with the confirmation that LastPass maintained its own infrastructure was not compromised in the Klue breach.