LastPass Data Breach Exposes Customer Support Case Details Again
LastPass revealed a June 2026 breach exposing customer support case data after Klue hack.
Why it matters: Legal professionals depend on LastPass for protecting sensitive client and firm data. Recurring breaches risk eroding trust and indicate a need to reassess cybersecurity protocols in legal tech.
- Hackers stole customer support case data including names, contacts, and sales info after the Klue breach on June 12, 2026.
- LastPass confirms its infrastructure and password vaults remain secure despite the incident.
- The hacking group Icarus threatens to release stolen data unless a ransom is paid.
- LastPass suffered a more severe breach in 2022, exposing password vaults and resulting in $35 million in cryptocurrency thefts.
On June 23, 2026, LastPass disclosed that hackers accessed customer support case data through a breach at its technology partner, Klue, identified on June 12. The stolen information includes customers' names, phone numbers, email addresses, physical addresses, support case details, and sales-related data. Despite the exposure, LastPass confirmed that its own systems and customers' password vaults were unaffected by this recent incident (TechCrunch).
Klue's hack involves the Icarus group, which has publicly threatened to release the stolen data unless a ransom is paid. LastPass serves over 33 million users globally, including about 1.6 million paying customers who depend on its service to secure sensitive and confidential information critical to industries such as legal and financial services.
This is the second major data breach involving LastPass in recent years. The previous breach in August 2022 compromised customer password vaults, facilitating the theft of approximately $35 million in cryptocurrencies. This incident prompted significant scrutiny, including a £31.2 million fine by the UK Information Commissioner's Office in December 2025 for inadequate security measures affecting 1.6 million users (TechRadar).
John Edwards, the UK Information Commissioner, stated, "LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today."
Legal firms and professionals relying on LastPass for password and data security should reevaluate their cybersecurity strategies in light of these repeated breaches, focusing on multi-layered protections beyond relying on a single vendor.
By the numbers:
- 33 million users — LastPass's global user base as of 2024
- $35 million — cryptocurrency thefts resulting from the 2022 LastPass breach
- £31.2 million — fine imposed on LastPass by UK regulator in December 2025
Yes, but: LastPass confirms that the recent breach did not affect its infrastructure or password vaults, limiting immediate risk to stored passwords.
What's next: Customers await potential updates on whether stolen support case data will be publicly released or used maliciously, following Icarus's ransom threats.