Sold passwords and customer info kept apart – how two data leaks link up

In 2022, a single security failure spilled encrypted passwords for thousands of users. That incident wasn’t the end—just a warning. Before the dust settled, another break-in happened somewhere else. This time the target was a marketing firm called Klue, and its customer database held files belonging to LastPass too. The stolen entries from Klue weren’t the password vaults themselves. Instead they held names, phone numbers, and related details. Attackers—reportedly calling themselves Icarus—now hold this data over multiple companies, including LastPass. The company states strongly that the core vaults stayed locked.What is interesting here is how supply chains create hidden risks. A weak spot at Klue managed to expose partners who never dealt directly with those hackers. It shows how one breach can ripple outward like a stone cast into a pond. Security teams always urge users to keep passwords unique. Yet a breach at Klue reveals another layer: personal contact details can also become leverage. Phone numbers and names can lead to phishing calls or texts aimed at tricking people into revealing more sensitive data. For LastPass the lesson seems clear—password storage and customer support records require separate defenses. Mixing them, even through a third party, can create new doors for intruders to walk through.