On June 12, 2026, LastPass disclosed another data breach. This time not through a direct compromise of its own systems, but through Klue, a market intelligence platform used internally by its go-to-market teams. The vector was a supply chain attack mediated by stolen OAuth tokens: attackers breached Klue via a dormant legacy credential, harvested the OAuth tokens Klue held on behalf of its customers, and used those tokens to access LastPass’s Salesforce environment and exfiltrate CRM data.
A password manager which essentially is the product people trust their most sensitive credentials, was compromised because of a credential nobody remembered to delete. As mentioned above, this was not LastPass’s first breach. Since 2011, LastPass has experienced and disclosed eight security breaches, with the 2022 breach being the most famous of them all, and its consequences still being faced to this day.
LastPass Breach History
LastPass has an unusually long breach history for a company whose core business is protecting credentials, having experienced eight confirmed breaches since 2011. The most consequential came in 2022, when attackers exfiltrated the company’s entire customer password vault store. The stolen vault contents resulted in multi-year theft campaigns. Hackers stole an estimated tens of millions in digital assets from over 40 distinct addresses in 2024 alone, and notably breached $150 million worth of cryptocurrency from Ripple co-founder Chris Larsen. Let’s briefly remind how the LastPass 2022 breach happened before diving into the newest June 2026 breach analysis since there are some small mutual details in both.
A look back at the 2022 breach
The attack happened in two stages, in August and November 2022. LastPass published several updates as its investigation continued, including disclosures in August 2022, December 2022, and March 2023.
Phase 1: August 2022
Attackers compromised a LastPass developer’s account and gained access to the company’s development environment. They stole source code, technical documentation, embedded credentials, internal secrets, and information about LastPass’s cloud architecture.
LastPass had initially reported that no customer data or password vaults had been accessed. However, the information stolen during this first intrusion gave the attackers a detailed understanding of the company’s internal infrastructure.
Sounds similar to the latest breach, doesn’t it? In the second phase, after having analyzed all the internal environment the attackers returned and executed a devastating attack.
Phase 2: November 2022
After analyzing the information stolen in August, the attackers returned and targeted a senior LastPass DevOps engineer. The engineer’s personal computer was running an outdated version of Plex Media Server that was vulnerable to CVE-2020-5741, a remote code execution vulnerability disclosed two years earlier. The attackers exploited the software and installed keylogger malware on the computer.
The keylogger captured the engineer’s master password when it was entered. This allowed the attackers to access the engineer’s corporate LastPass vault, which contained credentials for LastPass’s cloud backup environment. Using those credentials, the attackers accessed and exfiltrated customer information, cloud storage data, and backups of customer password vaults.
The stolen vault backups contained both encrypted and unencrypted information.
- Encrypted: Passwords, Usernames, Secure notes
- Unencrypted: URLs, File paths to installed LastPass Windows or macOS software, Some cases involving email addresses, IP addresses, Telephone numbers
Natural question arises: “Why didn’t the EDR catch the keylogger?” LastPass acknowledged that an EDR was present on the compromised endpoint but stated that it was tampered and did not trigger.
Common methods attackers use to bypass/tamper EDRs
| Technique | Description |
| Abusing legitimate uninstallers | Running uninstaller tools with admin privileges to remove the EDR cleanly. |
| Bring Your Own Vulnerable Driver (BYOVD) | Loading a vulnerable kernel driver to gain kernel-level access and disable EDR system callbacks. |
| Direct syscalls (Hell’s/Heaven’s/Taurus Gate) | Bypassing user-mode EDR hooks by calling system calls directly instead of going through monitored APIs. |
| Process injection and PPID spoofing | Hiding malicious activity inside legitimate processes and spoofing parent process IDs to avoid behavioral detection. |
| ETW patching | Modifying or removing Windows Event Tracing provider functions that EDR agents depend on for telemetry. |
| API unhooking | Restoring original ntdll.dll bytes in memory to surgically remove EDR inline hooks, as opposed to routing around them via direct syscalls. |
| DLL sideloading | Placing a malicious library in the search path of a legitimate signed application so execution inherits the application’s trusted reputation. |
So, even on a fully managed endpoint, the techniques above are specifically designed to neutralize EDRs before or during execution.
Mitigating the Risk with Unixi
Since keylogger is a malware that is designed to record every key pressed on a keyboard, thus used by attackers to steal credentials (and this is exactly how they did it), lets think how this could have played out in a Unixi protected environment. Unixi’s KDA architecture removes the reusable application credential from the user’s login flow. There is also no centralized password vault for attackers to steal and attempt to crack later. Instead of requiring the user to type or manage a password, Unixi derives an application-specific authentication secret at login and completes the authentication process automatically. As a result, a keylogger would not be able to capture a reusable application password because the user never types or sees one. Read this blog to learn more about Unixi’s KDA.
Analysis of the June 2026 LastPass Breach
Icarus, a financially motivated extortion group active since April 2026, targeted Klue rather than LastPass directly. Klue’s Battlecards product integrates with Salesforce, Gong, HubSpot, SharePoint, and Slack across dozens of enterprise environments. This means that one successful compromise of its integration layer could provide access to all of these platforms simultaneously, making it a single point of failure. Differently from the 2022 breach when LastPass was compromised directly, this time LastPass was hit by a supply chain attack via its trusted third-party. Attackers compromised Klue and abused Klue’s authorized OAuth connection to access data in LastPass’s Salesforce tenant.
Initial Access – T1078.004 & T1199 & T1528
On June 11, Icarus accessed Klue’s (T1199) backend using a valid legacy service account credential (T1078.004). The credential had been created for a prototype integration that was never released, but it was never disabled. The attackers simply used an old credential that Klue still accepted as valid.

The credential already provided sufficient access for the attacker to insert unauthorized (malicious) code into Klue’s integration infrastructure, which was then used to obtain OAuth tokens that Klue held or generated for connected customer platforms (T1528). The injected malicious code systematically harvested those tokens, giving Icarus delegated access across every connected customer environment at once. Rather than compromising each customer separately, the attacker abused Klue’s established trusted relationships and inherited the access already granted to its integration. Each stolen token bypassed MFA entirely: no further authentication step at the LastPass’s Salesforce environment, and API traffic blends with normal traffic from legitimate Klue queries.
Lateral Movement & Discovery – T1550.001 & T1526
Icarus replayed the stolen tokens directly against the Salesforce REST API (T1550.001). From Salesforce’s perspective the requests were legitimate – valid token, correct permissions, normal integration source. Before bulk extraction, the attacker enumerated each environment’s object catalog via GET /services/data/v59.0/sobjects, mapping available schema to inform query structure and prioritize targets across victim environments (T1526).
Exfiltration – T1530 & T1567.002
The attacker collected CRM records through automated SOQL requests to /services/data/v59.0/query and retrieved complete result sets through Salesforce QueryMore pagination (T1530). The malicious sessions used python-urllib/3.12 and python-urllib/3.14, made paginated REST queries via the QueryMore cursor, with three distinct patterns observed: a 24-hour slow pull paced to blend with normal integration traffic; a fifteen-minute burst of nearly a thousand queries trading stealth for speed; and a six-hour sustained pull in a third environment (T1567.002).
Data pulled from LastPass’s Salesforce environment included customer names, phone numbers, email addresses, physical addresses, and support case history. Password vaults were not touched.
Post-Exploitation – T1657
By June 22, stolen data appeared on Icarus’s dark web leak site.

Extortion emails followed from spoofed domains (baccarat.com[.]au, robinskitchen.com[.]au, house.com[.]au). LastPass also published four attacker IPs as indicators for threat hunting: 138.226.246[.]94, 94.154.32[.]160, 159.183.215[.]61, 159.183.181[.]239.
MITRE ATT&CK Mapping
- T1078.004 – Valid Accounts: Cloud Accounts
- T1199 – Trusted Relationship
- T1528 – Steal Application Access Token
- T1550.001 – Use Alternate Authentication Material: Application Access Token
- T1526 – Cloud Service Discovery
- T1530 – Data from Cloud Storage
- T1567.002 – Exfiltration Over Web Service
- T1657 – Financial Theft
Mitigating Discovery & Governance Risks with Unixi
For the 2026 LastPass incident, the initial foothold was a forgotten Klue integration credential that remained active and was never revoked. Unixi’s Discovery and Lifecycle Management capabilities provide deep visibility into unmanaged access. With automated Lifecycle Management, you can instantly deprovision SaaS accounts when users leave groups or are deleted from your IdP. It’s a powerful way to shrink dormant user access across all Unixi-deployed environments.
If Klue had applied a Unixi-style governance layer to its own identity posture, the legacy credential enabling Icarus’s initial access would have lacked a valid session to exploit.
And as for the 2022 LastPass breach, as elaborated above, the structural implication for the LastPass scenario is direct: there is no vault to steal, and no password is typed. At login, Unixi derives an application-specific authentication secret and logs in automatically. KDA removes the need for a centralized vault of reusable application passwords. An attacker would not gain access to a centralized repository of reusable application passwords. This is because Unixi does not store credentials in a traditional password vault.
