In an email shared with TechCrunch by an affected customer, LastPass said the breach occurred at market research firm Klue rather than its own systems. However, hackers abused their access to obtain large amounts of data on LastPass customers.
LastPass is the latest in a long list of cybersecurity companies that have reported data theft as a result of the Klue breach, which the company disclosed last week. Several other companies affected include HackerOne, Recorded Future, and Tanium.
It’s not yet known what was in the contents of customer support tickets, although they likely contain fragments of potentially private or sensitive information. Customers typically contact customer service when they have billing issues or need help accessing their account. Past incidents involving customer support tickets have involved credentials and government-issued identity documents.
LastPass has more than 33 million users and about 1.6 million paying customers as of 2024, according to its website.
Although the vault was encrypted with a master password known only to the customer, the breach allowed hackers to access internal secrets after cracking the vault via an offline brute force attack using the weakest master password. Several crypto thefts were later linked to the LastPass breach, after hackers were suspected of stealing the victim’s wallet keys by cracking their password vault.
If you purchase through links in our articles, we may receive a small commission. This does not affect our editorial independence.
