In late June 2026, LastPass confirmed a new data breach - but the headline needs an immediate, honest caveat: this is not another vault breach. Attackers reached customer support and contact data stored in LastPass's Salesforce environment, while LastPass stated its products, services and infrastructure were not affected and customer password vaults remained secure. Here is what actually happened, what it means, and what to do.
What happened
LastPass confirmed that attackers accessed customer support-case data stored in its Salesforce environment. The exposed information includes customer names, phone numbers, email addresses, physical addresses, support-case data and sales-related records.
The crucial point, stated by LastPass itself: its products, services and infrastructure were not affected, and customer password vaults remained secure. In other words, this incident is about support and CRM contact data, not the encrypted vault where your saved logins live. That distinction is what separates it from the much-discussed 2022 vault-backup breach, and it is worth keeping front of mind before reacting. If you have been weighing the platform's track record, our breakdown of is LastPass safe puts this in context.
How it happened - a supply-chain attack on Klue
The root cause was not a break-in at LastPass. It was a supply-chain attack on Klue, a third-party market-intelligence platform used by LastPass's go-to-market teams that integrates with Salesforce and Gong.
Around June 12, 2026, a threat actor referred to as Icarus used compromised legacy credentials for an integration service to breach Klue. From there, the attackers stole OAuth tokens that granted access to LastPass's Salesforce support cases. A trusted, connected tool became the weak link - and that connection quietly carried access into LastPass's CRM.
LastPass was not the only victim. The same Klue incident reportedly affected Recorded Future, Tanium, Jamf, Sprout Social, Gong and Insurity as well.

Why this matters even if you don't use LastPass
Two reasons. First, supply-chain attacks are everyone's problem: a single compromised vendor can expose data from many companies at once, which is exactly why the same incident touched several unrelated organisations. The connected tools your services rely on are part of your attack surface.
Second, even though your passwords were not exposed, leaked contact data is fuel for phishing. Attackers who hold your name, email, phone number and the fact that you are a LastPass customer can craft very convincing fake "security alert" messages. The data that leaked is exactly what makes a scam look legitimate.
What to do
Because your vault was not compromised, this is not a drop-everything password reset. The right response is calm and targeted:
- Expect phishing, and slow down. Be sceptical of any unexpected email, call or text that mentions LastPass, a "breach" or your account. Don't click links in them; go to the official site directly. Legitimate companies won't ask for your master password.
- Confirm two-factor authentication is on. With 2FA (an authenticator app or hardware key, ideally - not SMS), even a phished password is far harder to abuse.
- Use a unique password everywhere. This breach didn't expose vault passwords, but unique-per-site passwords remain the baseline that limits the blast radius of any future leak.
- Weigh your options. If repeated incidents have eroded your trust, it is reasonable to compare providers. Our guide to the best LastPass alternatives lays out the trade-offs.
The takeaway
The honest summary: LastPass's vaults were not breached in June 2026 - a third-party platform called Klue was, exposing support and contact data through a connected integration. The practical danger is targeted phishing built from leaked contact details, not stolen passwords. Stay alert to messages that reference the breach, keep 2FA on and unique passwords everywhere, and decide on your provider with the facts rather than the fear.
★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform
Lock down your accounts → NordPassStrong unique passwords · breach scanner · free tier→Frequently asked questions
Was my LastPass password vault compromised in the 2026 breach?
No. LastPass stated that its products, services and infrastructure were not affected and that customer password vaults remained secure. The June 2026 incident exposed customer support-case and contact data (names, phone numbers, email and physical addresses) stored in its Salesforce environment, not the encrypted vaults where your passwords live. This is the key distinction from the well-known 2022 vault breach: that one involved backup copies of vault data, this one does not.
What exactly was exposed in the LastPass June 2026 breach?
According to LastPass, attackers accessed customer support-case data and sales-related records held in its Salesforce CRM. The exposed fields include customer names, phone numbers, email addresses and physical addresses. There is no verified public figure for how many customers were affected, so be cautious of any specific count you see. Your stored logins and master password were not part of this data set.
How did attackers get in if LastPass itself was not hacked?
The root cause was a third-party supply-chain attack on Klue, a market-intelligence platform that LastPass's go-to-market teams use and that integrates with Salesforce and Gong. Around June 12, 2026 a threat actor referred to as Icarus used compromised legacy credentials for an integration service to breach Klue, then stole OAuth tokens that granted access to LastPass's Salesforce support cases. So a trusted connected tool was the weak link, not LastPass's own systems.
Was LastPass the only company affected by the Klue incident?
No. The same Klue supply-chain incident reportedly affected several other organisations, including Recorded Future, Tanium, Jamf, Sprout Social, Gong and Insurity. Supply-chain attacks like this hit many customers of one compromised vendor at once, which is part of why they are so impactful.
What should I do after the LastPass 2026 breach?
Since your vault was not exposed, you do not need to panic-reset every password. The real risk is targeted phishing using the leaked contact details. So: be sceptical of unexpected emails, calls or texts that reference LastPass or your account, never click links in them, and reach LastPass only through the official site. Make sure two-factor authentication is on, confirm every account uses a unique password, and consider whether a provider with a cleaner breach history fits you better.



