LastPass has issued a warning to its users regarding a recent data breach involving Klue, a third-party market firm, which has reportedly led to the theft of personal information. In an email sent to customers, LastPass announced that Klue was breached on June 11, resulting in the exposure of customer names, phone numbers, email addresses, physical addresses, and various support case and sales-related data.
Despite the extent of the breach, LastPass reassured its users that the incident pertains solely to Klue-integrated systems and emphasized that its products, services, and infrastructure were unaffected. The company confirmed that customer vaults remain secure, urging users to maintain vigilance against potential phishing attempts and social engineering schemes that may exploit this situation to extract further information and funds from them.
The cybersecurity landscape has seen added complications, as several firms that rely on Klue have also reported customer data leaks following the breach. The hacking group Icarus has claimed responsibility for the incident and is allegedly contacting users, threatening to leak their sensitive data unless demands are met.
The context for these concerns is heightened when considering LastPass’s previous security issues. A series of breaches in 2022 resulted in the compromise of sensitive data from user password vaults. Notably, Ripple co-founder Chris Larsen suffered a staggering loss of $150 million in cryptocurrency, following the unauthorized access to his private keys due to these lapses.
Cybersecurity expert ZachXBT revealed in 2024 that the fallout from the previous breaches continued, with attackers leveraging stolen data to siphon off approximately $5.4 million from over 40 wallets. Earlier in 2023, around $4.4 million had already been taken from more than 25 users linked to the same vulnerabilities.
Adding to the challenges, two individuals associated with a cryptocurrency laundering scheme called “AudiA6,” responsible for laundering $389 million, have reportedly assisted in the movement of funds stolen from LastPass users.
In the wake of these events, LastPass faced a £1.2 million fine from the UK’s Information Commissioner’s Office last year due to its failure to implement adequate technical and security measures, which enabled unauthorized access to its backup database. The breach reportedly affected around 1.6 million users in the UK, emphasizing ongoing concerns about the company’s security practices.
As LastPass continues to navigate through these significant challenges, the emphasis on security and customer vigilance remains vital amidst the evolving landscape of cyber threats.
