All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
LastPass was just breached for the third time in 11 years.
The good news is hackers didn’t reach LastPass's password vaults. The bad news is that your personal information has been exposed, including your name, phone number, email address, home address, and the contents of any support conversations you have had with LastPass.[1]
That combination of personal data is all a scammer needs to launch phishing attacks. Since they know you’re a LastPass customer, they can send you an email that looks like it comes directly from LastPass, and you’ll be more likely to trust it. They’d also know what you called about in the past and where you live, making you an easy target for identity theft.
Here's a look at how the data breach happened, what you can do right now to protect yourself, and whether you should still trust LastPass.
The data breach did not originate at LastPass. It started at Klue, a market intelligence platform that LastPass's internal sales and marketing teams used. Customers never interacted with Klue directly, which is what makes supply chain attacks so disorienting: you can do everything right in your own account and still end up in a breach notice.
Here’s how it worked. Klue's software connects to business tools like Salesforce using OAuth tokens, a type of digital key that lets one app communicate with another. On June 12, attackers used a compromised legacy password to gain access to Klue's systems. From there, they stole digital keys from many of Klue's customers and used them to access their connected Salesforce accounts, including LastPass's.
According to LastPass, the data accessed included customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related CRM records. There's no evidence that the attackers accessed any call recordings or emails.
LastPass has since revoked employee access to Klue, rotated the exposed tokens, and notified law enforcement.
The hacking and extortion group Icarus claimed credit for the attack and threatened to release the stolen data unless a ransom was paid. LastPass is not the only target: more than two dozen other organizations, including BeyondTrust, HackerOne, Recorded Future, and Tanium, have confirmed their Salesforce data was also accessed in the same operation.
This isn't the first, or even the second, time LastPass customers have been caught in a data exposure event, and that history shapes how to read this one.
In 2015, hackers breached LastPass's servers and obtained account email addresses, password reminders, authentication hashes, and cryptographic salts. Encrypted vaults were not accessed that time.
The 2022 breach was more serious and unfolded in two stages. In August, an attacker compromised a developer's account and stole source code and internal technical information. The attacker then used that foothold to break into cloud backups containing customer password vaults, along with unencrypted data including names, billing addresses, email addresses, and phone numbers. The vaults were encrypted, but security researchers warned that anyone with a weak master password was at risk of having their vault cracked offline. Several cryptocurrency thefts were later linked to the LastPass breach by security reporter Brian Krebs.
The 2026 breach is narrower in scope. LastPass password vaults weren't compromised, and the attacker's access was limited to what LastPass had stored in a third-party CRM. But one question remains unanswered: what was inside those customer support tickets?
LastPass hasn't disclosed the specific contents of the accessed cases. In past support ticket breaches at other companies, investigators have found credentials, government-issued IDs, and account recovery details shared through support channels. But even with password vaults secure, Lastpass customers still need to take measures to protect against identity theft.
Your immediate risk from this breach is phishing, not a compromised vault. Attackers now have enough personal information to impersonate LastPass convincingly by email, text, or phone.
1. Watch for phishing that uses your real information. Generic scam emails are easy to spot. Messages that include your full name, home address, and phone number are not. Be skeptical of any unsolicited contact that references your LastPass account, asks you to verify your identity, or prompts you to click a link to secure your account.
2. Do not share your master password with anyone. LastPass has explicitly stated it will never ask for it. Any email, call, or message requesting your master password is a scam, regardless of how official it appears.
3. Think back on what you shared in support tickets. If you have ever contacted LastPass customer service, consider what you may have provided in that conversation: billing details, account recovery options, or information about accessing your account. The contents of those tickets are unknown. Your risk depends on your history with their support team.
4. Consider switching to a password manager with a stronger security record. Three breaches in 11 years are a reasonable trigger for reconsidering where to store your passwords. What to look for in a secure password manager provider: a zero-knowledge architecture (meaning the company cannot access your vault even if it wanted to), a history of independent security audits, and no prior breach history. 1Password meets all three criteria and has never reported a breach. Not sure where to start? Our 1Password vs. LastPass breakdown covers the key differences.
Password manager that lets you share credentials via a link, no 1Password account required to access
Built-in Watchtower flags breached, weak, and reused passwords and shows which sites support 2FA you haven't set up yet
Travel Mode feature lets you hide specific vaults when crossing borders, so sensitive data isn't on your device if it gets searched
The latest LastPass data breach hasn't exposed your passwords. By that measure, it's less damaging than the 2022 LastPass incident. But "less severe than the worst case" is a low bar for a product that holds millions of people's most sensitive credentials.
What is true right now: your contact information is in criminal hands, a targeted phishing campaign is a realistic near-term risk, and the full contents of the accessed support tickets remain undisclosed. What is also true: LastPass acted quickly, vaults are intact, and the entry point was a third-party vendor rather than LastPass's own systems.
Whether that record is acceptable is a judgment call. If it isn't, switching to the best password managers has never been more straightforward.
You can also learn more about our firsthand testing experience in our LastPass review.
Password manager that lets you share credentials via a link, no 1Password account required to access
Built-in Watchtower flags breached, weak, and reused passwords and shows which sites support 2FA you haven't set up yet
Travel Mode feature lets you hide specific vaults when crossing borders, so sensitive data isn't on your device if it gets searched
/images/2024/02/09/lifelock_vs._experian.jpg)
/images/2023/05/05/lifelock-review.png)
/images/2026/06/26/mercor-ai-data-breach-june-2026.png)
/images/2026/06/26/lastpass-data-breach-june-2026.png)
/images/2026/06/23/smartphone_with_hacked_inscription_and_sad_emoji_icon_on_screen.jpg){kind=icon}
/images/2026/06/09/instagram_logo_mobile_app_on_a_screen_smartphone_iphone_closeup..jpg){kind=logo}
/images/2026/05/30/7-11_or_seven_eleven_24_hours_convenience_store_franchise_logo_at_fron_unA3lb5.jpg){kind=logo}
/images/2026/05/27/pearland_texas_usa_-_february_19_2022_closeup_of_krispy_kreme_restaura_1ebMGCm.jpg)
/authors/kalleigh-lane-new.jpg){kind=small}
/authors/kate-quinlan-new.jpg){kind=small}
/images/2026/03/31/1password_wordmark_blue_2023.svg_1.png)
/authors/kalleigh-lane-new.jpg)