LastPass notifies users of yet another data breach

508 points · 223 comments on HN · read original →

Points and comments are a snapshot, not live.

LastPass warns of breach via third-party Klue, exposing CRM data.

LastPass notified users of a data breach originating at Klue, a market research firm integrated with its Salesforce and Gong systems. Hackers accessed standard business contact information, including names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data. LastPass said no password vaults were affected. The company revoked employee access to Klue, rotated API tokens, and notified law enforcement. It advised customers to watch for phishing attacks and shared attacker IP addresses and email sender domains.

What commenters are saying

The thread is sharply critical of LastPass, viewing this as another security failure for a company whose core product is secrecy. Many commenters argue the breach, though limited to CRM data, reflects poor operational security, pointing to LastPass's reliance on third-party integrations like Salesforce. Some defend that vaults remain secure, but the dominant sentiment is that trust is eroded. Several advocate for offline password managers like KeePass or local-first solutions as safer alternatives, citing that cloud-based managers become high-value targets with systemic risk.