Phishing Campaign Impersonating LastPass Maintenance Alerts to Steal Master Passwords
LastPass warned of an active phishing campaign impersonating the service with fake “infrastructure maintenance” notifications that pressure users to “back up” their password vaults within 24 hours. The emails are crafted to create urgency and direct recipients to click a “Create Backup Now” link, with the apparent goal of hijacking accounts and stealing vault master passwords; LastPass emphasized it will never ask customers to provide their master password or demand immediate action under a tight deadline.
LastPass’ Threat Intelligence, Mitigation, and Escalation (TIME) team assessed the campaign as starting around January 19, 2026, and observed messages sent from addresses including support@lastpass[.]server8 and support@sr22vegas[.]com (with additional reported senders support@lastpass[.]server7 and support@lastpass[.]server3). Reported infrastructure used in the lure included an Amazon S3 URL group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf that redirected to mail-lastpass[.]com; LastPass said it is working with third-party partners to take down the malicious infrastructure.
Related Entities
Threat Actors
Sources
4 more from sources like bleeping computer, the hacker news, dark reading and blog.lastpass.com
Related Stories
LastPass Phishing Campaign Using Spoofed Support Threads and Fake SSO Pages
LastPass warned of an active **phishing campaign** using spoofed “security alert” and “support thread” emails that claim unauthorized access, master password changes, vault export attempts, account recovery, or new device registration. The messages abuse **display-name spoofing** (e.g., “LastPass Support”) to hide unrelated sender addresses—often from compromised sites or abandoned domains—and use urgent calls to action such as “report suspicious activity,” “disconnect and lock vault,” and “revoke device” to drive clicks. Victims who follow the links are directed to a fake LastPass SSO/login page hosted primarily on `verify-lastpass[.]com`, with additional lookalike/modified URLs redirecting to the same credential-harvesting site, aiming to steal users’ **master passwords** and account credentials. LastPass stated its own infrastructure was **not compromised**, is working with partners to take down the phishing domains, and reiterated it will **never** ask users for their master password; users are advised to report suspicious LastPass-branded emails to `abuse@lastpass.com`.
1 weeks agoPhishing Campaigns Impersonate LastPass to Steal Credentials and Deploy Remote Access Tools
Threat actors have launched sophisticated phishing campaigns impersonating *LastPass* to trick users into revealing their master passwords and, in some cases, to install remote access tools. One campaign, attributed to the financially motivated group **CryptoChameleon (UNC5356)**, sends emails claiming a family member has requested access to the victim's LastPass vault via a fabricated death certificate, exploiting the service's emergency access feature. Victims are directed to fraudulent sites mimicking LastPass, where they are prompted to enter their credentials or passkeys. In some instances, attackers have also called victims while posing as LastPass staff to further legitimize the scam. A separate but related campaign targets users of both *LastPass* and *Bitwarden* with fake breach notifications, urging them to download a "secure" desktop version of the password manager. The download actually installs the Syncro remote monitoring and management (RMM) tool, which is then used to deploy ScreenConnect for remote access. This allows attackers to steal data, deploy additional malware, and potentially access password vaults. Both LastPass and Syncro have taken steps to warn users and disrupt the malicious infrastructure, emphasizing that no legitimate communication will ever request a master password and advising users to verify suspicious emails.
4 months ago
Phishing Campaigns Abuse Trusted Branding and Cloud Hosting to Steal Credentials
**LastPass** warned customers about an active phishing campaign using spoofed “security alert” emails that claim unauthorized access, vault export attempts, account recovery, or new device registration to pressure users into taking action. The messages spoof the LastPass display name (relying on many clients—especially mobile—showing only the display name) and direct victims to a fake SSO login page at `verify-lastpass[.]com` to steal credentials; LastPass reiterated it will **never** ask for a user’s master password and said it is working with partners to take down the phishing infrastructure. Separately, researchers reported a coordinated phishing operation that abuses **Google Cloud Storage (GCS)** to host redirector content on a legitimate Google domain (`storage.googleapis.com`) to help links evade email security controls. Analysis tied 25+ distinct lure emails (e.g., “storage full,” “antivirus expired,” and brand-themed reward scams) to a single GCS bucket (`whilewait`) hosting `comessuccess.html`, which functions as a gatekeeper/redirector that forwards victims to third-party malicious sites associated with credential and/or payment-card harvesting and potential malware delivery; the consistent destination across varied themes indicates centralized attacker-controlled cloud infrastructure.
2 weeks ago