Overview
- Klue detected unauthorized activity on June 12 that used a legacy integration credential to push token‑harvesting code and collect OAuth tokens that trusted Klue held for customers.
- LastPass confirmed on June 23 that attackers used those stolen tokens to access its Salesforce environment and copy customer names, phone numbers, email and postal addresses, support case records, and sales/CRM data.
- An extortion group calling itself Icarus has claimed responsibility and posted victim lists on a Tor leak site while affected companies face ransom pressure.
- LastPass and other victims disabled Klue integrations, revoked and rotated exposed OAuth tokens, published indicators of compromise, notified law enforcement, and are conducting joint forensic investigations with Klue and Salesforce.
- Security teams warn the exposed CRM and support data greatly raises phishing and social‑engineering risk for customers and has renewed calls for stricter vendor credential lifecycle controls and tighter third‑party access governance given the systemic risks of connected SaaS integrations.