LastPass customer info leaked again after third-party data breach

LastPass, the password manager that inadvertently facilitated the theft of $150 million in crypto from Ripple co-founder Chris Larsen, is now warning users that their personal information was stolen via an attack on third-party market firm Klue.

The company emailed its customers this week to inform them that Klue was breached on June 11 and that data including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data, had been stolen. 

Despite this, LastPass stressed that the incident affects only Klue-integrated systems and that “LastPass products, services, and infrastructure were not impacted in any way and customer vaults remain secure.”

Multiple cybersecurity firms reliant on Klue have also seen customer data leaked. 

The cybercrime group Icarus claimed responsibility for the breach and is reaching out to users and threatening to leak their data.

LastPass users have been warned to stay vigilant about social engineering and phishing attacks that may attempt to swindle them out of more information and funds.  

LastPass’s 2022 breach lost Ripple co-founder $150M

LastPass suffered multiple major breaches in 2022 that saw sensitive data stolen from customers’ password vaults.

Crypto sleuth ZachXBT noted in 2024 that a threat actor was able to use data from this breach to steal $5.4 million worth of crypto from over 40 addresses.

Prior to this, in 2023, ZachXBT also reported that roughly $4.4 million was drained from over 25 victims because of the 2022 breach.

Possibly the biggest theft from LastPass involved Ripple co-founder Chris Larsen, who lost $150 million worth of crypto after his private keys were leaked in the 2022 breach.

Read more: ‘AudiA6’ crypto laundering suspects face extradition to US

Two people behind a $389 million cryptocurrency laundering service dubbed “AudiA6” have also, according to ZachXBT, helped launder stolen funds from LastPass users.

LastPass was fined £1.2 million by the UK’s Information Commissioner’s Office last year over the 2022 data breach. 

The body claimed it impacted 1.6 million UK users, and that LastPass “failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database.”

Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.