LastPass Warns of Phishing Campaign Targeting Master Passwords

LastPass is warning customers of an active phishing campaign that began around March 1, 2026, with attackers sending fabricated email chains designed to appear as internal communications about unauthorized account access. The goal: stealing master passwords that unlock entire password vaults.

The company's Threat Intelligence, Mitigation, and Escalation (TIME) team issued an advisory on March 3 detailing the campaign, which exploits how mobile email clients often display only the sender's name while concealing the actual email address unless expanded.

Attack Technique

Attackers use display name spoofing to make emails appear to come from LastPass while using unrelated sender addresses. The phishing emails are being sent from several addresses including [email protected], [email protected], [email protected], [email protected], and [email protected].

Subject lines like "Re: the details," "Re: pending approval," and "RE: sign-in — TRZ-2302300" are designed to look like forwarded internal messages about unauthorized account activity. The emails claim someone is trying to take unauthorized action on the recipient's LastPass account—exporting vault data, performing full account recovery, or registering a new trusted device.

At the center of the phishing infrastructure is the domain verify-lastpass.com. The attackers generate many slightly modified versions of URLs by adding different trailing numbers, allowing them to produce a large set of addresses that all resolve to the same fake single sign-on login page.

Password Managers as High-Value Targets

The messages contain links pointing to fake LastPass login pages designed to harvest master passwords. For threat actors, password manager credentials represent extremely high-value targets. A single compromised master password unlocks access to every credential stored in the vault—banking sites, corporate accounts, cryptocurrency exchanges, email providers.

This campaign follows similar tactics seen in the MetaMask fake incident report phishing operation that used spoofed security alerts to steal cryptocurrency wallet credentials. Social engineering attacks that leverage trust in security providers tend to be more effective because victims already associate the brand with protection.

Users who fall for these phishing attempts may not realize they've been compromised until unauthorized access occurs across multiple accounts. The cascading effect of a password manager breach can be devastating.

Indicators of Compromise

LastPass provided several indicators to help users identify malicious emails:

Known sender addresses:

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]

Malicious domain:

• verify-lastpass.com (and variants with appended numbers)

The emails pass SPF, DKIM, and DMARC authentication checks, which means standard email security controls won't catch them. This is because the attackers use legitimate email sending infrastructure—they're not spoofing the sending domain itself, only the display name.

How to Protect Yourself

LastPass emphasized that no one at the company will ever ask for your master password. If you receive a suspicious email requesting account action:

1. Never click links in unsolicited emails about your LastPass account
2. Verify sender addresses by expanding email headers, especially on mobile devices
3. Navigate directly to lastpass.com if you need to check account status
4. Report suspicious emails to [email protected]
5. Enable additional authentication if not already using hardware keys or authenticator apps

For organizations using LastPass Enterprise, security teams should alert employees to this campaign and consider implementing additional email filtering rules targeting the known malicious domains.

This marks the second major phishing campaign targeting LastPass customers in 2026. Given the 2022 breach that exposed customer vault data (albeit encrypted), users of the service remain attractive targets for credential theft operations.