top of page
Search

Crooks Impersonate LastPass in Scheme to Harvest Master Passwords

  • Jan 21
  • 2 min read

Key Findings


  • Attackers are impersonating LastPass in an active phishing campaign that aims to steal users' master passwords.

  • The phishing emails claim there is urgent LastPass maintenance and urge users to back up their password vaults within 24 hours.

  • The malicious emails use subject lines referencing infrastructure updates, vault security, and missed deadlines to trick victims.

  • The phishing links lead to an Amazon S3–hosted page that redirects to a fake LastPass site designed to harvest master passwords.

  • Attackers launched the campaign over a US holiday weekend to exploit reduced staffing and delay detection and response.


Background


  • In December 2025, blockchain intelligence firm TRM Labs warned that encrypted vault backups stolen in the 2022 LastPass breach are still being cracked using weak master passwords, enabling crypto theft as late as 2025.

  • Earlier in December 2025, the U.K. ICO fined LastPass £1.2m ($1.6m) for inadequate security measures that failed to prevent the 2022 breach.


Phishing Campaign Details


  • The phishing emails are being sent from several email addresses with various subject lines, including:

  • "LastPass Infrastructure Update: Secure Your Vault Now"

  • "Your Data, Your Protection: Create a Backup Before Maintenance"

  • "Don't Miss Out: Backup Your Vault Before Maintenance"

  • "Important: LastPass Maintenance & Your Vault Security"

  • "Protect Your Passwords: Backup Your Vault (24-Hour Window)"

  • The links in the emails lead to an Amazon S3–hosted phishing page ("group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf") that redirects to a fake LastPass site ("mail-lastpass[.]com).


LastPass' Response


  • LastPass warns users it will never ask for master passwords and urges caution over phishing emails.

  • The company is working to take down the malicious domain and asks users to report suspicious messages to [email protected].

  • LastPass has shared indicators of compromise, including fake domains, IP addresses, sender details, and phishing email subject lines.

  • The company notes that the timing of the campaign, over a US holiday weekend, is a common tactic used by threat actors to exploit reduced staffing and delay detection and response.


Sources


  • https://securityaffairs.com/187145/cyber-crime/crooks-impersonate-lastpass-in-campaign-to-harvest-master-passwords.html

  • https://thehackernews.com/2026/01/lastpass-warns-of-fake-maintenance.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page