Password manager maker LastPass is informing customers that their personal information and customer support case records were recently stolen during a hack of one of its technology partners, marking the company’s latest data breach in recent years.
In an email shared with TechCrunch by an affected customer, LastPass said the breach occurred at market research firm Clue, not its systems. However, hackers abused their access to obtain a tonne of data about LastPass customers.
LastPass is the latest in a growing list of cybersecurity companies
that have reported data breaches as a result of the breach at Clue, which the company disclosed last week. Several other affected companies include HackerOne, Recorded Future, and Tanium.
In a blog post sharing information about the incident, LastPass said that the hackers took customers’ names, phone numbers, email addresses, and physical addresses, as well as customer support case data and sales-related data.
LastPass said that the company’s own infrastructure, including customers’ password vaults, remained unaffected.
It is not yet known what the contents of the customer support tickets were, although they likely contained pieces of potentially private or sensitive information. Customers typically contact customer service when they have a billing issue or need assistance gaining access to their accounts. Previous incidents involving customer support tickets have involved credentials and government-issued identification documents.
LastPass spokespeople did not immediately respond to TechCrunch’s requests for comment or questions about the incident, including how many customers are affected by the incident.
LastPass’s website states that it has more than 33 million users and approximately 1.6 million paying customers as of 2024.
LastPass previously experienced a data breach in 2022, in which hackers stole the entire store of the company’s customer password vault, which is used to store their sensitive credentials, such as passwords, tokens, and other personal and credit card numbers.
While the vaults were encrypted with a master password known only to the customer, the breach allowed hackers to crack the vault offline using the weakest master password and subsequently access the secrets inside. Many crypto thefts later Linked to the LastPass breach When hackers were suspected of breaking into the victim’s password vault and stealing his wallet keys.
Clue CEO Jason Smith said in a blog post that the company had identified the hackers in its system on June 12. A hacking and extortion group called ‘Icarus’ took credit for the breach and publicly threatened to release the stolen data if a ransom was not paid.
Smith did not respond to TechCrunch’s email regarding the incident, including how many customers were affected or whether the company has been in contact with the hackers.
