What Happened
LastPass disclosed on June 23, 2026 that attackers accessed customer data from its Salesforce environment as a direct result of the Klue supply chain attack executed by the Icarus extortion group. The stolen data includes customer names, phone numbers, email addresses, physical addresses, and the full contents of customer support case interactions. LastPass confirmed that its products, services, infrastructure, and customer vaults were not compromised — only data held by Klue within the Salesforce integration was affected.
The Klue breach began when Icarus obtained legacy service account credentials for an integration service and used them to steal OAuth tokens that Klue held on behalf of its customers. Those tokens gave the attackers read access to connected Salesforce environments. LastPass joins a growing list of confirmed victims that now includes Gong, HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, Tanium, and Insurity. Icarus released portions of the stolen data on June 22 after ransom demands were not met.
Why This Matters for Canadian Organizations
The Klue breach now touches password management infrastructure — LastPass is deployed across thousands of enterprise and government environments in Canada. While customer vaults remain intact, the exposure of customer support case data is significant: support interactions frequently contain environment details, configuration specifics, and in some cases partial credential information. Security teams should treat any LastPass support case filed before the breach as potentially reviewed by a third party.
More broadly, this incident demonstrates the compounding risk of SaaS supply chains. A single compromised vendor — Klue — yielded OAuth tokens giving attackers access to Salesforce environments at a dozen or more major organizations simultaneously. For Canadian enterprises, this is a direct test of OSFI B-13’s third-party risk management requirements and PIPEDA’s breach notification obligations. Any Canadian organization using one of the confirmed victim vendors — particularly Gong for sales intelligence, Huntress for managed security, or Jamf for Apple device management — should assess what data those vendors held and whether a reportable breach occurred.
The Icarus group’s exploitation of legacy service account OAuth tokens highlights a persistent gap in enterprise SaaS governance: credentials issued for integrations years ago that accumulate permissions over time and are rarely rotated or scoped down. Canadian organizations operating under OSFI B-13 are required to maintain a current inventory of third-party access and apply least-privilege principles to service accounts — this breach is a direct consequence of gaps in that practice.
What to Do
Audit all OAuth tokens and service account credentials used in Salesforce integrations and revoke any that are no longer in active use or lack documentation of their original purpose. Rotate tokens for any vendor confirmed as a Klue customer. If your organization uses LastPass, review the scope of any open or recently closed support cases for sensitive content. Check whether any of the confirmed victim vendors — Gong, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, Tanium, Insurity — process personal data belonging to Canadian individuals, and assess PIPEDA notification requirements accordingly. Apply an OAuth access review cycle to all SaaS integrations with quarterly rotation of long-lived tokens.
Source: BleepingComputer
