Supply Chain Vulnerability: OAuth Token Compromise at Klue Impacts LastPass Salesforce Data

A sophisticated supply chain incident involving the market intelligence platform Klue has resulted in unauthorized access to specific datasets within LastPass’s environment. Rather than a direct breach of LastPass’s hardened perimeter, the attack leveraged a “pivot” strategy, exploiting compromised OAuth tokens to bypass traditional authentication barriers within integrated SaaS ecosystems.

This incident serves as a critical case study in the growing risks associated with API security and the inherent trust models used in modern enterprise SaaS integrations.

Technical Analysis of the Breach

The intrusion was identified on June 12, following a security event at Klue that impacted several organizations integrated with their platform via Salesforce and Gong. Forensic investigations revealed that threat actors successfully exfiltrated OAuth tokens stored within Klue’s infrastructure. These tokens, which act as digital keys for delegated access, allowed the attackers to impersonate authorized services and gain entry into connected downstream environments.

In the specific case of LastPass, these compromised tokens provided unauthorized access to certain segments of its Salesforce instance. According to the official LastPass disclosure, the scope of the exposure was surgically limited to these integrated systems. Importantly, the company has confirmed that its core infrastructure, primary product suite, and highly encrypted user password vaults remained untouched. There is currently no evidence suggesting that Gong systems or sensitive authentication primitives, such as master passwords, were compromised.

Despite the limited scope, the data accessed included significant Customer Relationship Management (CRM) metadata, such as:

• Full names and contact information (email addresses and phone numbers).
• Physical mailing addresses.
• Sales and support-related interaction records.

Mitigation and Incident Response

Upon detection, LastPass activated its incident response protocols to contain the lateral movement. The technical remediation steps included:

• Token Revocation: Immediate invalidation and rotation of all affected OAuth tokens to sever the attackers’ access.
• Access Control: Disabling all employee access to the Klue platform as a precautionary measure.
• Collaborative Investigation: Coordinating forensic analysis with Klue, Salesforce, and relevant law enforcement agencies.
• Threat Intelligence Sharing: The LastPass Threat Intelligence, Mitigation, and Escalation team is actively disseminating indicators of compromise (IoCs) to the broader security community to help disrupt the wider campaign.

Strategic Recommendations for Enterprise Security

While the exfiltrated data is classified as business-standard information, it poses a high risk for social engineering and highly targeted spear-phishing campaigns. Attackers can use the harvested CRM data to craft convincing, context-aware communications designed to harvest credentials or deploy malware.

To defend against similar supply chain pivots, security architects should consider the following:

1. Implement Least-Privilege Access: Audit all third-party integrations to ensure OAuth scopes are restricted to the absolute minimum required functionality.
2. Token Lifecycle Management: Enforce short-lived access tokens and implement robust rotation policies.
3. Anomaly Detection: Utilize continuous monitoring of API activity to identify irregular data access patterns or unusual geographic logins.
4. SaaS Security Posture Management (SSPM): Regularly audit the permissions granted to third-party applications within your enterprise ecosystem.

Indicators of Compromise (IoCs)

The following indicators have been identified in connection with this campaign. Defenders should ingest these into their SIEM/EDR platforms for proactive threat hunting.

Note: IP addresses and domains have been defanged (e.g., using brackets) to prevent accidental execution. Please re-fang these values only within controlled environments.

LastPass advises all users to remain vigilant against unsolicited communications. Always remember: LastPass will never request your master password or sensitive credentials via email, phone, or unofficial support channels.