The email from LastPass landed in inboxes this month. Another breach. Another explanation. Another assurance that password vaults were not accessed.
This time the incident came via a third-party supplier called Klue. Hackers accessed Klue's systems and used that position to pull data belonging to several of its customers, LastPass among them. What was taken includes customer names, email addresses, phone numbers and the contents of customer support cases. LastPass has confirmed that the encrypted password vaults were not reached.
That is the good news. The less comfortable news is that this is the third significant security event involving LastPass in recent years, and the pattern is starting to matter as much as any individual incident.
What happened with Klue
Klue is a market research platform. LastPass used it as a technology partner. A hacking and extortion group compromised Klue's environment and extracted data from several of its customers, including HackerOne, Recorded Future and Tanium alongside LastPass.
LastPass says its own infrastructure was not affected. The data taken is the kind that enables targeted phishing: real names, real contact details, real account context from support tickets. That is not nothing. A convincing email that references your actual LastPass account history is more dangerous than a generic phishing attempt.
Customers who used support recently, or who discussed account access issues with LastPass, should be alert to follow-up contact that references those conversations.
The pattern is the problem
The 2022 breach was more serious in direct terms. Hackers stole LastPass's entire store of encrypted customer password vaults. The vaults were protected by each user's master password, but the theft gave attackers unlimited time to attempt to crack them offline. Researchers have since linked a number of cryptocurrency thefts to attackers who successfully cracked vaults belonging to users with weak master passwords.
The 2026 breach is structurally different: a supplier was compromised rather than LastPass's own systems. But the effect from a business decision standpoint is the same. LastPass keeps appearing in breach headlines. At some point the pattern itself is the reason to act, regardless of the technical specifics of any single event.
What a password manager should look like for a business
A password manager holds the keys to everything: client portals, financial accounts, admin panels, cloud platforms. The security architecture underneath it is not a background consideration.
The standard to look for is a zero-knowledge architecture: the provider cannot access your vault data even if their servers are compromised, because the encryption and decryption happen entirely on your devices. LastPass uses zero-knowledge architecture. So does 1Password. The difference is that 1Password adds a second factor into the key derivation: the Secret Key.
The Secret Key is a long random string generated on your device when you set up 1Password. It is combined with your master password to derive the encryption key for your vault. It never leaves your devices. This means that even with your master password, an attacker who breaches 1Password's servers cannot decrypt your vault without also having your Secret Key. It is a meaningful additional layer.
What to look for in a business password manager:
- Zero-knowledge architecture: the provider cannot see your data
- Strong key derivation that does not depend on the master password alone
- Business controls: team vaults, granular sharing, admin oversight, access logs
- SSO integration with your identity provider if you use one
- Clean compatibility with macOS, iOS and your management platform
Why we recommend 1Password
We are a 1Password partner and we deploy it for clients across the studios, practices and agencies we look after. A few reasons it fits the businesses we work with:
It integrates cleanly with Apple Business Manager and the MDM platforms we use to manage Mac and iPhone fleets. Policies can be enforced centrally. Staff get a consistent experience across all their devices.
The two-factor key derivation means a breach of 1Password's infrastructure would not expose usable vault data. That is not hypothetical reassurance. It is the architecture.
The business controls are practical: team vaults, fine-grained sharing, activity logs, and the ability to recover access when someone leaves without handing over their master password. For a studio or practice where staff come and go, that matters.
What to do if you are currently using LastPass
If you received a notification from LastPass about the Klue breach, update your master password and make sure multi-factor authentication is enabled on your account. Review any recent customer support interactions that might contain sensitive information.
For the longer term, the question is whether LastPass is still the right tool. If you are a small team with straightforward needs and a strong master password with MFA enforced, the immediate risk is manageable. If you are storing credentials to client systems, financial accounts or sensitive platforms, the case for moving to a more robust option is now harder to ignore.
The migration from LastPass to 1Password is straightforward. Vaults export cleanly and import in a single step. We can handle the migration and configuration as part of an onboarding engagement, or walk your team through it independently.
Stay for now
Acceptable if your team uses a strong unique master password, MFA is enforced for every user and the credentials stored are low-risk. Revisit at your next renewal.
Move to 1Password
The right call if you store credentials to client systems, financial accounts or sensitive platforms, or if you want a password manager with stronger key architecture and cleaner business controls.
If you are not sure where you currently stand, that is a reasonable place to start the conversation.
Ready to move on from LastPass? We are a 1Password partner and can advise on the right setup for your team, handle the migration and make sure everything is configured correctly from day one.