LastPass Customer Records Stolen Via Klue Partner Breach

The timing is uncomfortable. Just as LastPass was rebuilding trust after its damaging 2022 breach, when encrypted password vaults were stolen and later partially cracked to fund cryptocurrency thefts, the company is now notifying customers that their names, phone numbers, email addresses, physical addresses, and customer support case records were stolen in a hack of Klue, a market research firm that served as a LastPass technology partner. LastPass's own infrastructure was not touched, but "our infrastructure was fine" is a harder sentence to say with conviction the second time around.

The breach at Klue was identified on June 12, 2026, according to TechCrunch's reporting, and the hacking and extortion group Icarus claimed responsibility, threatening to release the stolen data unless a ransom is paid. LastPass is not the only downstream victim: cybersecurity firms HackerOne, Recorded Future, and Tanium were also affected, making this one of the broader third-party supply-chain events of the year.

The particular sensitivity is the customer support case data. Contact details can be phished; support case records can arm an attacker with specific context about a user's setup and past problems, making follow-on social engineering sharper against a user base whose accounts unlock credentials for everything else. LastPass has not disclosed how many of its roughly 1.6 million paying customers, or its broader user base of over 33 million as of 2024 figures, were affected by this specific incident.

The honest caveat is that "third-party breach" is doing real work in LastPass's framing, and it is not wrong. Klue held the data, and LastPass's own systems were not compromised. But vendor relationships are a security decision. What the reporting does not give you is any detail on what vetting Klue received, what data-minimization controls were in place, or whether the support case data included anything beyond basic case identifiers. Those gaps matter for assessing real exposure.

Who benefits in the short term: competitors in the password management space, and the third-party risk management vendors who have been arguing for years that this kind of vendor-chain exposure is the real frontier of enterprise security risk.