3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Password management software provider LastPass is warning users of a phishing campaign targeting its users with fake unauthorized account access alerts.
The emails impersonate a LastPass representative by spoofing the display name and use subject lines crafted to mimic forwarded internal conversations between attackers and the company’s customer support team about a request to change the account’s primary email address.
The email chains are forwarded to the target in an attempt to prompt them to respond to the suspicious activity with urgency and click on links named “report suspicious activity,” “disconnect and lock vault,” and “revoke device.”
Source: LastPass
In doing so, users are directed to a fake LastPass login page hosted on the domain “verify-lastpass[.]com” that collects LastPass user credentials.
The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) notes in a report that apart from this primary domain, the attacker also uses slightly modified URLs that redirect to the same phishing page.
LastPass notes that multiple sender addresses and subject lines are used in the campaign to increase credibility and make tracing more difficult.
Most sender addresses are completely unrelated to the LastPass brand, set up from compromised websites or abandoned domains, but the attackers try to hide them by using the ‘LastPass Support’ display name.
The company underlined that its infrastructure has not been compromised in any way, and there’s no impact on its systems.
Moreover, it reminded customers that its support agents will never ask for their master password and that users should never disclose it to anyone.
LastPass is working with third-party partners to take down the fake websites as soon as possible, while urging users who receive suspicious communications to report them to ‘[email protected].’
LastPass’s popularity makes the service a frequent target of phishing campaigns. Earlier this year, in January, LastPass warned of another phishing campaign that distributed fake maintenance notifications, asking users to back up their vaults within 24 hours and redirecting them to phishing pages.
In late 2025, two more campaigns targeting LastPass occurred: one leveraging fake user death claims, and the other claiming the company had been hacked and urging users to download a new version of the client app.
Hope you enjoyed this news post. Feedback welcome.
Posted Thursday 5 March 2026 at 12:19 pm AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.