Forgot your password?
typodupeerror
Privacy Security

LastPass Says Hackers Stole Customer Support Case Data During Klue Breach (techcrunch.com) 22

LastPass says hackers stole customers' personal information, support case records, and sales data by breaching market research partner Klue. The password manager told TechCrunch that its own systems and password vaults were unaffected. However, the hackers used their access to obtain "reams of data about LastPass customers," the report says. From the report: In a blog post that shared information about the incident, LastPass said the hackers took customers' names, phone numbers, email addresses, and physical addresses, as well as customer support case data and sales-related data. It's not yet known what was in the contents of customer support tickets, although they likely contain fragments of potentially private or sensitive information. Customers typically contact customer service when they are having a billing issue or need assistance in gaining access to their accounts. Past incidents involving customer support tickets have included credentials and government-issued identity documents. The last data breach LastPass reported was in 2022, when hackers stole the company's entire store of customer password vaults.

LastPass Says Hackers Stole Customer Support Case Data During Klue Breach

Comments Filter:
  • by JoeyRox ( 2711699 ) on Thursday June 25, 2026 @03:08PM (#66210686)
    Password manager maker LastPass is notifying customers that their personal information and customer support case records were stolen during a recent hack at one of its technology partners, marking the company's latest data breach in recent years.

    The expression "when you have sex with someone, you're having sex with every one of their partners as well" appears to apply to security software providers as well.
  • I guess ... (Score:4, Funny)

    by PPH ( 736903 ) on Thursday June 25, 2026 @03:09PM (#66210688)

    ... LastPass is Klue-less.

  • by Valgrus Thunderaxe ( 8769977 ) on Thursday June 25, 2026 @03:10PM (#66210692)
    put all your passwords on someone else's computer.
  • by crunchy_one ( 1047426 ) on Thursday June 25, 2026 @03:22PM (#66210718)
    I'd wager a guess that this information includes the accounts that the customer is using LastPass to store passwords for. Even without the passwords themselves, this could be some really juicy blackmail material.
    • "I'd wager a guess that this information includes the accounts that the customer is using LastPass to store passwords for."

      On what basis would you make that wager? Do you have information that was not released?

  • I've seen enough (Score:4, Informative)

    by Arrogant-Bastard ( 141720 ) on Thursday June 25, 2026 @04:09PM (#66210786)
    Although to be more precise: I saw enough about LastPass years ago. This is the N'th security incident that they've publicly admitted. No doubt the number of incidents they're aware of is higher, and no doubt the number of incidents they're not aware of is still higher.

    I think at this point it's safe to presume that any information shared with LastPass has been compromised or will be compromised shortly. Part of that is because they're incompetent, but most of it is because there's no way for any operation to do what they've set out to do: the threat model is completely against them. What they've built is one-stop shopping for attackers, so it's worth much more time, money, attention, and risk than many other operations. Obviously attackers know this and have planned/executed accordingly.

    The right thing to do -- which won't happen because almost nobody does the right thing -- is to admit failure, issue refunds, and shut down.
    • I was a fan of LastPass for many years, but boy, they *systematically* ate through my willingness to support them. The basic concept of cloud-based password safes is entirely sound, so data breaches don't really worry me, but their flawed partition between cleartext and encrypted data, the sheer number of incidents and vulnerability reports (including in their crown jewels, the client software) and above all their tendency to deny and withhold and trickle out details in an attempt to save face, make them a

    • by kriston ( 7886 )

      But, umm, the actual password data is encrypted with a key that only the customers have access to.

  • And now, here's Baghdad Bob to explain that LastPass was never hacked, ever. That hacking LastPass is a complete impossibility. That it's all lies from imperial western password companies.

  • Number 6! (Score:4, Informative)

    by gabrieltss ( 64078 ) on Thursday June 25, 2026 @04:25PM (#66210838)
    This makes the 6th data breach they have had. Why anyone would still be using them is a total mystery to me!

    There are roughly five -publicly- disclosed security incidents (how many not publicly disclosed?):
    2011
    2015 - one of the two of the worst
    2016
    2017
    2022 - 2023 - the worst


    Now you can add 2026 to the list
    • Absolutely, I left before the 2022 breach, but at this point you knew it was coming. They lack any form of acceptable security of privacy understanding, and yet again, they completely violated their users.
    • "This makes the 6th data breach they have had."

      This makes the 6th data breach that they've detected and admitted to.

  • by Murdoch5 ( 1563847 ) on Thursday June 25, 2026 @05:21PM (#66210952) Homepage
    The last time Last Pass was hacked, they intentionally surrendered the personal data of their customers. They claim the vaults were encrypted, but honestly, can you trust them? We already know their customer service and communication standards were / are, horrific, lacking any use of PGP, or similar security mechanisms. Once their last hack took place, that was a flashing red alert to jump ship, frankly anyone who stayed behind, knew this was coming again.

    The problem now seems to be that the company committing mass digital molestation was hacked, who should not have had anything stored, so what does it really say about Last Pass? They're admitting they did not store the data using any form of acceptable security, and they've already surrendered password vaults, so will people jump ship now?

    Security and privacy claims are useless if you constantly demonstrate that your entire security understanding is putting the wallet inside the shoe when you're at the beach.
  • Isn't this at least the 2nd breech they've recently had?
  • All these forced centrally-stored passwordmanagers failing and falling like flies over and over again, but still forcing customers into their subscriptions and storing the most sensitive data centrally on their servers.
    This insane trend needs to finally stop.

  • How in the world are these buffoons still in business?

As far as the laws of mathematics refer to reality, they are not certain, and as far as they are certain, they do not refer to reality. -- Albert Einstein

Working...