LastPass hit by new data breach - 4 steps you should take now

Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

A third-party data breach has impacted LastPass customers.

The breach exposed names, phone numbers, and other data.

No master passwords or password vaults were compromised.

Do you use LastPass as your password manager? If so, I got some bad news. Yes, another data breach, though this one occurred at one of the company's third-party suppliers.

In a Tuesday blog post, LastPass revealed that a breach at a third-party supplier named Klue compromised certain contact and CRM (customer relationship management) data. The stolen information includes customer names, phone numbers, email addresses, and physical addresses, as well as support case and sales-related details. The only saving grace so far is that no master passwords or password vaults were compromised in the breach.

Also: Can you trust LastPass in 2026? Inside the multimillion-dollar quest to rebuild its security culture

As the blog post explains, Klue is a third-party market research platform used by LastPass to integrate with its Salesforce and Gong systems, allowing it to work with customer data and conduct market research. The hackers were able to snag the OAuth security tokens used by Klue to connect to customer data across these different systems. They then exploited these tokens to steal the LastPass user data stored in Salesforce.

How LastPass is responding

In response to the breach, LastPass explained that it cut off all employee access to Klue, refreshed the exposed tokens, kicked off an investigation in conjunction with Klue and Salesforce, and began working with law enforcement.

The company also announced that it's sharing information with the broader cybersecurity community to help disrupt this latest campaign. Of course, LastPass promised to set up better protections to prevent this type of breach in the future.

Also: I'm done searching for the 'perfect' password manager - how I've embraced the chaos

In its own blog post, Klue said that it uncovered the breach on June 12. Since then, the company has also been working with cybersecurity experts to determine what happened and restore all the compromised connections.

LastPass was far from the only company affected by this breach. Other victims include Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium, as reported by TechCrunch. Ransomware group Icarus has claimed responsibility for the breach, threatening that it would publish the compromised data if Klue didn't pay the ransom.

What should LastPass users do?

First, you should have received an email from LastPass notifying you of the breach and advising you on further steps.

Second, be on the lookout for possible phishing attacks or social engineering scams that try to exploit the stolen contact details. As always, this means you should scrutinize any emails, texts, or phone calls in which the person asks for sensitive information.

Also: It's possible to switch password managers without losing a single login - and I'm proof

Third, even though no passwords or password vaults were compromised, you may still want to change your master password. Make it strong but still memorable. A passphrase is always a good option, as it can be complex but still easy to remember.

Fourth, consider a different password manager. This is hardly the first time LastPass users have been impacted by a data breach or other significant problem.

Not a great track record

In 2022, a hacker grabbed some source code and proprietary LastPass technical data by exploiting a compromised account. But it didn't end there. Later that year, the company revealed that information stolen during the first attack led to a second one that captured customer names, billing addresses, email addresses, telephone numbers, and IP addresses.

In 2020, a major outage prevented LastPass users from logging in to their accounts. Some users reported that they were affected for several days. In 2019, security researchers discovered a LastPass security bug that exposed login credentials entered on a previously visited site.

Also: The best password generators of 2026: Expert tested

That's not a great track record. Yes, this latest breach wasn't directly the fault of LastPass. And the company has promised to clean up its act following these past incidents. But there are other password managers out there with better records. Just a few candidates include 1Password, NordPass, and Bitwarden.

But isn't it a hassle to switch from one password manager to another? It's not as bad as you might think. I switched from one to another more than a year ago, and the process went much more smoothly than I expected.