Key Takeaways:
- A new active phishing campaign is impersonating LastPass, a password management service, to trick users into giving up their master passwords.
- The campaign involves sending phishing emails with subject lines that create a sense of urgency, such as "LastPass Infrastructure Update: Secure Your Vault Now" and "Protect Your Passwords: Backup Your Vault (24-Hour Window)".
- The emails direct users to a phishing site that then redirects to a malicious domain, "mail-lastpass[.]com".
- LastPass will never ask users for their master passwords and is working with third-party partners to take down the malicious infrastructure.
- Users are advised to be cautious of emails that create a sense of urgency and to verify the authenticity of emails before taking any action.
Introduction to the Phishing Campaign
The password management service, LastPass, has alerted its users to a new active phishing campaign that is impersonating the company. The campaign, which began on or around January 19, 2026, involves sending phishing emails that claim there is upcoming maintenance and urge users to create a local backup of their password vaults within the next 24 hours. The emails come with subject lines that are designed to create a sense of urgency, such as "LastPass Infrastructure Update: Secure Your Vault Now" and "Protect Your Passwords: Backup Your Vault (24-Hour Window)". These subject lines are intended to trick users into taking immediate action, without verifying the authenticity of the email.
The Phishing Emails and Malicious Infrastructure
The phishing emails are designed to steer unsuspecting users to a phishing site, which then redirects to the domain "mail-lastpass[.]com". This domain is not affiliated with LastPass and is intended to trick users into giving up their master passwords. The company has emphasized that it will never ask users for their master passwords and is working with third-party partners to take down the malicious infrastructure. LastPass has also shared the email addresses from which the phishing emails originate, including "support@sr22vegas[.]com", "support@lastpass[.]server8", and "support@lastpass[.]server7". Users are advised to be cautious of emails from these addresses and to verify the authenticity of any emails that claim to be from LastPass.
The Tactics Used in the Phishing Campaign
The phishing campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics used in phishing attacks. A spokesperson for the Threat Intelligence, Mitigation, and Escalation (TIME) team at LastPass stated that the company wants customers and the broader security community to be aware that LastPass will never ask for their master password or demand immediate action under a tight deadline. The company is grateful for the vigilance of its customers and their continued reporting of suspicious activity. This campaign is a reminder that phishing attacks can be sophisticated and convincing, and that users must be cautious and vigilant when interacting with emails and online services.
Previous Phishing Campaigns Targeting LastPass Users
This development comes months after LastPass cautioned users of an information-stealing campaign targeting Apple macOS users through fake GitHub repositories that distribute malware-laced programs masquerading as the password manager and other popular software. This previous campaign highlights the ongoing threat of phishing attacks and the importance of users being aware of the tactics used by attackers. LastPass has been proactive in alerting its users to potential security threats and has taken steps to protect its users’ sensitive information. The company’s efforts to educate its users and take down malicious infrastructure demonstrate its commitment to security and customer protection.
Conclusion and Recommendations
In conclusion, the new phishing campaign targeting LastPass users is a reminder of the importance of being cautious and vigilant when interacting with emails and online services. Users are advised to verify the authenticity of emails before taking any action and to be wary of emails that create a sense of urgency. LastPass will never ask users for their master passwords, and any emails that claim to be from the company and request this information should be treated with suspicion. By being aware of the tactics used in phishing attacks and taking steps to protect themselves, users can help to prevent the success of these types of campaigns and protect their sensitive information.
