LastPass Data Theft Leads a Week of Supply Chain, AI and Infostealer Warnings

LastPass users are facing fresh security concerns after the password manager confirmed that customer data was accessed through a breach at one of its third-party suppliers. The incident adds to a busy week of cybersecurity developments involving supply chain risk, exposed national security personnel, predictive policing, AI model controls and a major international action against infostealer malware.

The latest LastPass incident began with Klue, a market intelligence platform used by the company’s go-to-market teams and connected to its Salesforce and Gong systems. According to LastPass, an unauthorised actor obtained OAuth tokens held by Klue and used them to access customer data in LastPass’s Salesforce environment. The company said the exposed information was limited to business contact details, CRM data, support case data and sales-related records, including names, phone numbers, email addresses and physical addresses. LastPass said its products, services, infrastructure and customer vaults were not affected.

The disclosure is particularly sensitive because LastPass is still associated with its serious 2022 breach, in which attackers copied encrypted password vault data and other customer information. While the new incident appears narrower in scope, it reinforces a familiar lesson for businesses: attackers do not always need to breach a core product when a connected supplier or software integration can provide another route in.

The week also brought a major law enforcement and private-sector action against infostealer infrastructure. Microsoft, Europol and other international partners disrupted operations linked to Amadey and StealC, malware tools used to infect computers and steal passwords and other sensitive data. Microsoft said it found more than 140,000 computers infected with the tools during the first two weeks of May and identified more than 200 malicious command-and-control domains and IP addresses for disruption.

Elsewhere, WIRED reported that a data exposure at Dialog, a private events group cofounded by Peter Thiel, revealed personal information tied to national security and military personnel. The exposed records reportedly included details connected to a National Security Council intelligence official and an active-duty intelligence officer supporting sensitive military operations. WIRED reported that the exposure appeared to stem from a website misconfiguration and included private information and login tokens for 222 event registrants.

In the UK, a WIRED investigation placed another form of data risk under scrutiny. The report found that Avon and Somerset Police and Bristol City Council built a large predictive analytics programme using the Think Family Database, which contained sensitive records and supported machine-learning models designed to assign risk scores to adults and children. WIRED reported that the force created at least 23 models, including tools intended to assess risks related to crime, court attendance, missing persons and domestic abuse victimisation.

The intersection of cybersecurity and national security also widened through the case of former US national security adviser John Bolton, who pleaded guilty to illegally retaining classified information. Reuters reported that prosecutors said Bolton shared more than 1,000 pages of sensitive diary-style entries with relatives and that his personal email was hacked by someone believed to be linked to Iran.

AI governance remained another pressure point. Anthropic said earlier this month that a US government export control directive forced it to suspend access to its Fable 5 and Mythos 5 models for foreign nationals, citing national security concerns linked to possible jailbreak risks. Reuters later reported that the US government partially reversed the order, allowing Claude Mythos 5 to be redeployed to selected trusted US organisations.

Together, the incidents show how modern cyber risk is spreading across suppliers, cloud integrations, AI systems, public-sector data tools and personal accounts. For organisations, the message is clear: strong passwords are no longer enough. Teams need to understand phishing, OAuth token abuse, supplier compromise, data handling, incident response and the human mistakes that allow attackers to move from one system to another.

To strengthen your defences before the next breach hits, take The Hack Academy’s online training programme and give your team the practical skills to recognise threats, reduce risk and respond with confidence.