Do you use LastPass as your password manager? If so, I got some bad news. Yes, another data breach, though this one occurred at one of the company's third-party suppliers.

In a Tuesday blog post, LastPass revealed that a breach at a third-party supplier named Klue compromised certain contact and CRM (customer relationship management) data. The stolen information includes customer names, phone numbers, email addresses, and physical addresses, as well as support case and sales-related details. The only saving grace so far is that no master passwords or password vaults were compromised in the breach.

Also: Can you trust LastPass in 2026? Inside the multimillion-dollar quest to rebuild its security culture

As the blog post explains, Klue is a third-party market research platform used by LastPass to integrate with its Salesforce and Gong systems, allowing it to work with customer data and conduct market research. The hackers were able to snag the OAuth security tokens used by Klue to connect to customer data across these different systems. They then exploited these tokens to steal the LastPass user data stored in Salesforce.

In response to the breach, LastPass explained that it cut off all employee access to Klue, refreshed the exposed tokens, kicked off an investigation in conjunction with Klue and Salesforce, and began working with law enforcement.

The company also announced that it's sharing information with the broader cybersecurity community to help disrupt this latest campaign. Of course, LastPass promised to set up better protections to prevent this type of breach in the future.