Once again, LastPass users’ personal data ends up in the wrong hands
Anyone who entrusts their credentials to a password manager expects the boundary of their privacy to coincide at least with that company’s servers. The incident involving LastPass this week is a reminder that the boundary is often far more porous: the breach did not hit LastPass directly, but Klue, a third-party marketing firm whose systems LastPass had integrated into its support infrastructure.
According to the official LastPass statement, Klue was breached on 11 June 2026. The stolen data includes names, phone numbers, email addresses, physical addresses, support case data, and commercial information. LastPass stated that password vaults remain intact and that its products and infrastructure were not compromised.
Responsibility for the attack was claimed by the group Icarus, which has already contacted some users threatening to make the data public. LastPass has warned its user base to watch for phishing attempts and social engineering that could exploit the already-exfiltrated information to gain further access.
The company’s history weighs on its reputation. In 2022, LastPass suffered a series of breaches that led to the compromise of the encrypted vaults of millions of users. According to analyses published by on-chain investigator ZachXBT, those stolen credentials were subsequently used to drain tens of millions of dollars from more than sixty identified victims. The best-known case involves Ripple co-founder Chris Larsen, who reportedly lost 150 million dollars in cryptocurrency after his private keys were exfiltrated through LastPass. In December 2025, the British ICO fined LastPass 1.2 million pounds over the 2022 breach, ruling that the company had adopted insufficient technical measures to protect its backup database, which had exposed 1.6 million UK users.
