» Unfair Advantage
Daily Brief

LastPass got breached through an app it forgot it connected. Check your own OAuth grants this week

2026-06-24 · Unfair Advantage Editorial

LastPass told customers on Monday that hackers walked off with their names, phone numbers, email and physical addresses, and support-case history. The twist that matters for a small shop: nobody cracked LastPass. The vaults are fine, the master passwords untouched. The attackers got in through Klue, a market-intelligence app that LastPass's sales team had wired into its Salesforce. Klue held OAuth tokens for dozens of its customers; the Icarus extortion crew stole those tokens using old leftover credentials, then used them to read CRM data straight out of each customer's Salesforce. LastPass was one of several caught in the same net, alongside Recorded Future, Tanium, Jamf and Sprout Social.

That is the lesson, and it has nothing to do with password managers. Every time you click "Connect to Salesforce" or "Sign in with Google" to hook up a new tool, you hand that tool a key to your account. The key sits there forever, usually with more access than the job needs, long after you've forgotten the tool exists. You can have airtight passwords and two-factor on everything and still get robbed, because the thief never touches your front door. They walk in through a side app you authorized two years ago and never thought about again.

For a five-person business this is more exposure than it looks. Count the apps you've granted access to your Google Workspace, your CRM, your accounting software, your e-commerce platform. Most owners can't, and that's the problem. Each one is a standing door. A breach at any single vendor in that list becomes a breach of your customer data, and you find out when the phishing emails start landing because your contact list is now for sale.

The stolen data here is exactly the fuel for the next attack: real names, real emails, real support history, enough to write a convincing fake. LastPass even named the spoofed sender domains the crew is using. Expect a wave of "your account needs attention" messages aimed at LastPass customers over the coming weeks, and treat any unexpected request for credentials as hostile until proven otherwise.

The move this week is a fifteen-minute audit, not a panic. Open the security settings of your main accounts and find the list of connected apps or authorized third parties. In Google it's myaccount.google.com under "Data & privacy." Revoke anything you don't recognize or no longer use. For the tools you keep, check whether they're asking for more than they need. Turn on two-factor everywhere it's offered. Then put a recurring reminder on the calendar to do the same sweep every quarter, because that list only grows. The breach that gets you is rarely the tool you're watching. It's the one you forgot you connected.

Why it matters

Your customer data can leak even when your own security is flawless, because every app you've connected to Google, your CRM or your accounting tool holds a key that a vendor breach can hand to attackers. A fifteen-minute audit of your authorized third-party apps closes doors you forgot were open.

Network impact

LatencyNo direct impact.
SecurityDirect and central. OAuth tokens granted to third-party integrations are a standing attack surface: a breach at any connected vendor exposes the data in your own CRM and accounts, bypassing passwords and two-factor entirely. Least-privilege grants and regular token audits are the defense.
ScalabilityThe more tools a team connects as it grows, the larger this surface gets, usually unmanaged. Treating connected-app review as a recurring quarterly process keeps the door count under control as the stack expands.

What to do

  1. Open your main accounts (Google Workspace, CRM, accounting, e-commerce) and find the list of connected or authorized third-party apps. In Google: myaccount.google.com, under Data & privacy, then Third-party apps & services.
  2. Revoke access for any app you don't recognize or no longer use. Each one is a standing key to your data.
  3. For tools you keep, check whether the access granted is more than the job needs, and reduce it where you can.
  4. Turn on two-factor authentication everywhere it's offered, especially on the accounts other tools connect through.
  5. Warn your team to treat unexpected emails or calls asking for credentials or account details as suspect, especially anything referencing LastPass right now.
  6. Put a recurring quarterly reminder on the calendar to repeat this connected-app sweep, because the list only grows.

Sources

« All articles