Enterprise security teams have spent years improving password policies, MFA adoption and user access controls. Yet the modern identity attack surface is no longer limited to usernames and passwords. OAuth tokens, SaaS integrations, CRM connectors and third-party applications now carry pre-authorised trust across business environments.

The latest LastPass–Klue incident is a clear example of that shift. LastPass disclosed that it was affected by a supply chain incident involving Klue, a third-party market intelligence platform used by go-to-market teams. Klue integrates with platforms such as Salesforce and Gong, creating a direct connection into sales, customer and support workflows.

According to LastPass, the incident began outside its own infrastructure. An unauthorised actor obtained OAuth tokens held by Klue for a number of its customers, including LastPass. Those tokens were then used to access customer data within LastPass’s Salesforce environment. LastPass stated that its products, services, infrastructure and customer vaults were not impacted.

That distinction is important, but it does not make the incident low-risk. The exposed data reportedly included customer names, phone numbers, email addresses, postal addresses, business contact details, support case information and sales or CRM-related records. This is not password vault data, but it is valuable context for phishing, impersonation and social engineering.

The incident also shows why SaaS supply chain security is becoming a board-level issue. In many organisations, CRM systems, sales enablement tools, market intelligence platforms and customer success applications are deeply connected. These integrations are often approved for business productivity, but they may not receive the same level of scrutiny as core identity or endpoint systems.

OAuth tokens are especially sensitive because they can bypass traditional login controls once issued. If a third-party platform stores or manages tokens for many customers, compromise of that platform can create a scalable route into connected environments. In this case, the risk was not a stolen LastPass password. The risk was delegated trust through an integrated SaaS application.

The Hacker News reported that Salesforce disabled the Klue Battlecards integration after detecting unusual activity involving the app. Klue has also said that the incident was limited to affected third-party platform connections and that it took steps including revoking affected credentials and tokens, removing unauthorised code, disabling potentially impacted integrations and launching an investigation.

For affected organisations, the business impact can extend beyond immediate data exposure. Customer contact data and support case information can help attackers build convincing phishing campaigns. Sales and CRM records may reveal customer relationships, procurement context, renewal discussions or organisational structure. In B2B environments, that information can support targeted fraud or downstream attacks.

The immediate response should focus on token governance. Organisations should identify which SaaS applications hold OAuth access into Salesforce, Gong, CRM platforms and customer success tools. Unused integrations should be removed, active tokens should be reviewed and high-risk connections should be rotated or revoked where necessary.

Security teams should also review Salesforce audit logs, OAuth app activity, unusual API access, suspicious exports and access patterns around the relevant incident window. Where possible, SaaS audit logs should be collected centrally and routed into SIEM or detection platforms rather than reviewed only after an incident.

The lesson is straightforward: today’s identity risk is not only about passwords. OAuth tokens, SaaS integrations and third-party access chains are now part of the enterprise control plane. If these connections are not visible, governed and monitored, the organisation cannot accurately understand its real attack surface.