LastPass Warns of Phishing Campaign Targeting Master Passwords

LastPass is warning customers about a phishing campaign that impersonates the password manager to steal master passwords. The emails claim LastPass is performing maintenance and urge users to create local vault backups within 24 hours, directing them to a credential-harvesting site that captures their master password.

The campaign began around January 19, 2026—timed over the Martin Luther King Jr. holiday weekend when fewer employees would be available to report and respond to the scam.

How the Attack Works

Phishing emails arrive from addresses including "[email protected]" and "[email protected]" with subject lines designed to create urgency:

• "LastPass Infrastructure Update: Secure Your Vault Now"
• "Your Data, Your Protection: Create a Backup Before Maintenance"
• "Don't Miss Out: Backup Your Vault Before Maintenance"
• "Important: LastPass Maintenance & Your Vault Security"
• "Protect Your Passwords: Backup Your Vault (24-Hour Window)"

Clicking the link routes victims through an AWS-hosted redirect at "group-content-gen2.s3.eu-west-3.amazonaws.com" before landing on the phishing site at "mail-lastpass.com." The redirect adds a layer of legitimacy—AWS infrastructure is commonly used by enterprises, and link scanners may not immediately flag it.

The phishing page mimics the LastPass interface and asks users to enter their master password to "export" their vault. Once entered, the credentials go straight to the attackers. With a master password, attackers can access the victim's entire vault—every credential, secure note, and identity stored in LastPass.

Strategic Timing

Launching the campaign over a federal holiday weekend was deliberate. With many security and IT teams off work, reports of the phishing emails would be delayed. By the time organizations identified and escalated the threat, the campaign had already been active for days.

This pattern is common in phishing campaigns. Attackers frequently time their operations around weekends, holidays, and the end of business quarters when security teams are stretched thin or staffing is reduced.

LastPass Response

LastPass stated definitively that they are not asking customers to backup vaults before any maintenance deadline. The company reminded users that LastPass never asks for master passwords via email or any other channel.

"Rest assured, we are working with our third-party partners to have this domain taken down as soon as possible," the company said in a security notice.

Users who receive suspicious emails should forward them to [email protected] and delete them. Anyone who entered credentials on the phishing site should immediately change their master password and consider rotating credentials stored in the vault—particularly for high-value accounts like banking, email, and cloud services.

Context: LastPass's Challenging Year

This phishing campaign arrives while LastPass is still dealing with fallout from its 2022 breach. The UK Information Commissioner's Office fined LastPass £1.2 million in late December 2025, citing inadequate security measures that led to the theft of encrypted vault data affecting 1.6 million UK users.

Security researchers have linked hundreds of millions of dollars in cryptocurrency theft to that breach, with attackers systematically cracking weaker master passwords to access crypto wallet seed phrases stored in vaults.

The phishing campaign exploits the residual anxiety among LastPass users. Someone already worried about their vault security after the 2022 breach might be more susceptible to urgent emails about "protecting their data." The attackers are counting on that fear.

Protecting Yourself

Password manager phishing is a high-value attack because it yields not one credential but potentially hundreds. Users should treat any communication claiming to be from their password manager with extreme suspicion.

Guidelines to avoid these attacks:

1. Never click email links to access your password manager. Always navigate directly by typing the URL or using a bookmark.

2. Check the sender address carefully. Legitimate LastPass emails come from lastpass.com domains, not random domains like "sr22vegas.com."

3. Ignore artificial urgency. Real password managers don't impose sudden 24-hour deadlines for vault exports. Any email creating urgent pressure is suspect.

4. Enable hardware security keys if your password manager supports them. FIDO2 authentication defeats most phishing attacks because credentials are bound to the legitimate domain.

5. Report suspicious emails to your organization's security team and to the impersonated vendor.

For users of any password manager—not just LastPass—this campaign is a reminder that attackers specifically target the systems designed to protect credentials. The more valuable the vault, the more attractive the target.