Phishing Campaign Exploits LastPass Legacy Inheritance Process
Threat actors from the group CryptoChameleon have launched a sophisticated phishing campaign targeting LastPass users by exploiting the password manager's legitimate legacy inheritance process. Victims receive emails falsely claiming that a family member has submitted a death certificate to gain access to their password vault, with urgent instructions to respond if the recipient is not deceased. The phishing emails contain links to fake LastPass pages designed to steal users' master passwords, and in some cases, attackers have posed as LastPass staff via phone calls to further pressure victims into divulging credentials.
The campaign leverages convincing social engineering tactics, including the use of agent ID numbers and passkey-themed phishing domains such as mypasskey[.]info and passkeysetup[.]com. Attackers also mimic sign-in pages for Gmail, iCloud, Okta, and Outlook to target users' cryptocurrency wallets on platforms like Binance, Coinbase, Kraken, and Gemini. LastPass has warned that these phishing sites are increasingly focused on stealing passkeys, reflecting both the growing adoption of passkeys and their value in protecting high-value assets. Users are advised to remain vigilant and avoid interacting with suspicious emails or providing credentials on unfamiliar sites.
Sources
Related Stories
Phishing Campaigns Impersonate LastPass to Steal Credentials and Deploy Remote Access Tools
Threat actors have launched sophisticated phishing campaigns impersonating *LastPass* to trick users into revealing their master passwords and, in some cases, to install remote access tools. One campaign, attributed to the financially motivated group **CryptoChameleon (UNC5356)**, sends emails claiming a family member has requested access to the victim's LastPass vault via a fabricated death certificate, exploiting the service's emergency access feature. Victims are directed to fraudulent sites mimicking LastPass, where they are prompted to enter their credentials or passkeys. In some instances, attackers have also called victims while posing as LastPass staff to further legitimize the scam. A separate but related campaign targets users of both *LastPass* and *Bitwarden* with fake breach notifications, urging them to download a "secure" desktop version of the password manager. The download actually installs the Syncro remote monitoring and management (RMM) tool, which is then used to deploy ScreenConnect for remote access. This allows attackers to steal data, deploy additional malware, and potentially access password vaults. Both LastPass and Syncro have taken steps to warn users and disrupt the malicious infrastructure, emphasizing that no legitimate communication will ever request a master password and advising users to verify suspicious emails.
4 months ago
LastPass Phishing Campaign Using Spoofed Support Threads and Fake SSO Pages
LastPass warned of an active **phishing campaign** using spoofed “security alert” and “support thread” emails that claim unauthorized access, master password changes, vault export attempts, account recovery, or new device registration. The messages abuse **display-name spoofing** (e.g., “LastPass Support”) to hide unrelated sender addresses—often from compromised sites or abandoned domains—and use urgent calls to action such as “report suspicious activity,” “disconnect and lock vault,” and “revoke device” to drive clicks. Victims who follow the links are directed to a fake LastPass SSO/login page hosted primarily on `verify-lastpass[.]com`, with additional lookalike/modified URLs redirecting to the same credential-harvesting site, aiming to steal users’ **master passwords** and account credentials. LastPass stated its own infrastructure was **not compromised**, is working with partners to take down the phishing domains, and reiterated it will **never** ask users for their master password; users are advised to report suspicious LastPass-branded emails to `abuse@lastpass.com`.
1 weeks ago
Phishing Campaign Impersonating LastPass Maintenance Alerts to Steal Master Passwords
LastPass warned of an active **phishing campaign** impersonating the service with fake “infrastructure maintenance” notifications that pressure users to “back up” their password vaults within **24 hours**. The emails are crafted to create urgency and direct recipients to click a **“Create Backup Now”** link, with the apparent goal of **hijacking accounts and stealing vault master passwords**; LastPass emphasized it will **never** ask customers to provide their master password or demand immediate action under a tight deadline. LastPass’ Threat Intelligence, Mitigation, and Escalation (**TIME**) team assessed the campaign as starting around **January 19, 2026**, and observed messages sent from addresses including `support@lastpass[.]server8` and `support@sr22vegas[.]com` (with additional reported senders `support@lastpass[.]server7` and `support@lastpass[.]server3`). Reported infrastructure used in the lure included an Amazon S3 URL `group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf` that redirected to `mail-lastpass[.]com`; LastPass said it is working with third-party partners to **take down** the malicious infrastructure.
1 months ago