A password manager's entire value proposition rests on a single premise: that it can protect your secrets better than you can. LastPass has spent the past four years systematically undermining that premise, and the latest disclosure—that hackers accessed customer support case data through a breach at third-party vendor Klue—suggests the company still hasn't learned the fundamental lesson about supply-chain security that the rest of the industry absorbed years ago.

The breach, confirmed by LastPass on Monday, occurred when attackers compromised Klue, a competitive-intelligence platform that several cybersecurity firms use to track market positioning. LastPass acknowledged that support tickets—which can contain sensitive troubleshooting information, account details, and user communications—were among the data exfiltrated.

The pattern that won't break

This isn't LastPass's first breach, or its second, or even its third. The 2022 incident, in which attackers stole encrypted password vaults and later cracked weak master passwords to drain cryptocurrency wallets, should have been an extinction-level event for the company. Instead, LastPass limped forward, shedding enterprise customers while retaining a consumer base that either didn't follow security news or couldn't be bothered to migrate.

The Klue breach is different in character—it's a supply-chain attack rather than a direct compromise—but it reveals the same underlying problem. LastPass continues to share sensitive customer data with third-party vendors without adequate controls, and those vendors become attack vectors. The company's security perimeter extends far beyond its own infrastructure, and it apparently hasn't mapped or hardened that extended perimeter.

What Klue knows, attackers now know

Klue's platform aggregates competitive intelligence, which means it ingests communications, support interactions, and internal documents from its clients. For a password manager, this creates an unusually dangerous exposure. Support tickets often contain information about account recovery, authentication failures, and security configurations—exactly the metadata an attacker needs to prioritize targets or craft convincing phishing campaigns.

LastPass has not disclosed how many users were affected or what specific data fields were compromised. The company's statement emphasized that "no vault data" was accessed, which has become the rhetorical refuge of every LastPass breach announcement. But vault data isn't the only thing worth protecting. A detailed support history can tell an attacker which users have weak security practices, which have valuable accounts, and which are likely to fall for social engineering.

Our take

At some point, a company's breach history becomes its identity. LastPass has reached that point. The Klue incident isn't the most severe breach the company has suffered, but it's perhaps the most telling: even after years of security failures, LastPass still hasn't implemented the vendor-management controls that would prevent exactly this kind of supply-chain compromise. Users who remain on the platform aren't making a security decision anymore—they're making a convenience decision, and they should be honest with themselves about the trade-off. The password manager market has alternatives. LastPass's continued existence as a going concern is a testament to consumer inertia, not consumer wisdom.