Woofun AI reports that LastPass disclosed a security incident stemming from its third-party market intelligence partner, Klue. Attackers compromised OAuth tokens held by Klue, leveraging these credentials to infiltrate LastPass's Salesforce CRM system. This unauthorized access resulted in the potential exposure of sensitive business contact information, including customer names, phone numbers, email addresses, home addresses, and support case details.

LastPass confirmed that its core products, infrastructure, and customer password vaults remain unaffected, with Gong system data also intact. In response, the company halted employee access to Klue, rotated exposed API tokens, and initiated a joint investigation with Klue, Salesforce, and law enforcement. While threat intelligence has been shared via the TIME team, users are urged to remain vigilant against phishing attempts exploiting the leaked data, noting that LastPass will never request master passwords.