The company LastPass - which literally sells security by guarding the passwords of tens of millions of people - has admitted that hackers stole user data. Not directly from its servers, but through Klue, a market-research firm that LastPass used as a technology partner. Klue discovered the breach on 12 June 2026.

What was stolen: names, phone numbers, email addresses, physical addresses, as well as customer-support records and sales-related data. LastPass stresses that the password vaults themselves remained secure and encrypted. That's an important distinction - but support tickets have historically contained sensitive things too: parts of credentials, even images of personal documents that users send when asking for help.

The exact number of affected users hasn't been released. LastPass has over 33 million users and around 1.6 million paying subscribers. Klue's CEO, Jason Smith, said the company „identified the hackers in its systems on 12 June“, while LastPass for now declines a broader comment.

The scenario has an unpleasant echo. In 2022, LastPass suffered a far heavier blow - back then the entire base of encrypted vaults was stolen, and weaker master passwords were later cracked offline, which led to cryptocurrency theft. The recurring lesson is always the same: a company's security is only worth as much as the weakest link in the chain of its partners. When you entrust your passwords to someone whose whole business is exactly that, the least you expect is that they're careful about who they give access to.