Blog Sürümler Sorunlar Belgeler İndir Durum Gözlem Aynası Satışa ulaşın
Dayanıklılık Kurtarma Güvenlik Değiştirilemez Kasa Kurcalamayı Belgeleyen Denetim Fiyatlandırma
Geliştiriciler
Geliştirici genel bakışıCLI, SDK'ler, webhook'lar AltyapıDocker, K8s, Terraform, CI/CD. Yapay zeka aracılarıClaude Code, Codex, Cursor, Hermes, OpenClaw. MSP AraçlarıDatto, NinjaOne, ConnectWise, N-able. Tarayıcı uzantısıOtomatik doldurma, cihaza dayalı oturum açma, oluşturucu Mobil uygulamalarYerel iOS ve Android Claude CodeKapsamlı belirteçler CodexOpenAI entegrasyonu CursorAgent modu Hermes AgentNous Research'ten Hermes Agent OpenClawAracı çözümleyici İçe AktarHerhangi bir parola yöneticisinden
Kaynaklar
Blog Sürümler Sorunlar Belgeler İndir Durum Gözlem Aynası Satışa ulaşın
Çözümler
Tüketici KOBİ Enterprise MSP
Dil
🇺🇸 English 🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Oturum aç Sonsuza kadar ücretsiz Başlayın
Security Blog

Even LastPass couldn't protect its own credentials.

#22

June 24, 2026 · By Marketing team

← All posts

Also in: 🇺🇸 English

LastPass exists to keep credentials safe, and this month it could not keep its own: a legacy integration credential and OAuth tokens, taken through a third-party vendor. You do not guard a standing credential well enough anymore. You stop having one.

LastPass exists for one reason: to keep credentials safe. That is the entire product and the entire promise. This month, LastPass could not keep its own.

A legacy integration credential and the OAuth tokens connecting LastPass's Salesforce to a third-party tool were compromised, and attackers used them to walk off with customer data: names, email addresses, phone numbers, support history. The break did not even start at LastPass. It started at a market-intelligence vendor called Klue, wired into LastPass's systems, and the credentials connecting the two were the way in [1].

Skip the part everyone will argue about. This is not about whether the vault encryption held. Maybe it did. It is beside the point. The question was never whether the data sitting at rest was scrambled. It is whether the credentials — the live ones, the ones doing the connecting — were safe. They were not. Period.

Times have changed

This should land harder than another breach headline, because LastPass is not careless. By trade they are among the most credential-conscious organizations on earth. And they still lost control of the credentials that ran their business — not to a nation-state zero-day, but to a forgotten integration login and an OAuth token nobody rotated, sitting inside a SaaS vendor most of their customers had never heard of.

It was not only them. The same campaign hit a row of companies whose entire job is security: Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity [1]. A threat-intelligence firm. An endpoint-security firm. They hold the line for everyone else, and they could not hold their own credentials either.

That is the signal worth reading. The credential that gets you breached now is not the password in the vault. It is the standing machine credential: the API key, the OAuth grant, the legacy service login, sitting long-lived and broadly scoped in some system, waiting. There are more of them every quarter, spread across more vendors, and the moment one link in that chain is compromised, every credential it touched is loose. If LastPass cannot keep that surface safe, nobody is keeping it safe by holding it carefully.

You don't guard a standing credential. You stop having one.

So stop trying to hold them safely. You can't. The lesson of LastPass is not "find a better vault for your tokens." It is that a standing credential, however well guarded, is a thing waiting to be taken — and an era of supply chains, automation, and agents takes them faster than anyone can rotate them.

The only credential that cannot be stolen is the one that is not sitting there to steal. That is what Clavitor is built to be. A credential is never parked, standing, in a system where an attacker, a compromised vendor, or a hijacked agent can reach it. It is released scoped to a single action, lives for seconds, and is gone after use. The operator cannot read it, so taking the operator yields nothing. It is bound to the machine it was issued to, so a copy lifted anywhere else is dead weight. There is no long-lived OAuth token in a third party's database, because the token was never standing there to begin with. (That last one is near the top of the rules we think a credential system has to keep now.)

The honest edge: nobody makes you unbreachable, and we are not selling that. What changes is what a breach can reach. Take the operator, the vendor, the agent — and find nothing standing there worth carrying off.

For a decade the pitch was simple: your credentials are safe with the company you hand them to. This month the company that built its name on that pitch couldn't keep its own. Nobody guards a standing credential well enough anymore, and every AI agent you deploy adds a hundred more. The credential that survives the next breach is the one that was never there to take.

Clavitor (@clavitorai) is the credential vault built for AI agents, and against them. clavitor.ai

Sources

[1] BleepingComputer — "LastPass confirms data breach in Klue supply-chain attack" (Klue/Salesforce-OAuth compromise; customer CRM data exposed; vaults not affected; same campaign hit Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity): https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/