LastPass issues alert as customers face second major phishing campaign of 2026

LastPass customers are again being targeted by phishing emails that appear to be forwarded internal messages.

In a customer advisory, the password manager firm warned emails are being sent from several email addresses, with various subject lines, claiming there has been unauthorized access to individuals’ accounts.

"This is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails," the company warned.

The fake email chains are intended to make it appear as though another individual is trying to take unauthorized action on their LastPass account - for example, exporting vaults, attempting full account recovery, or registering a new trusted device.

Attackers use display name spoofing as part of the attack so that the name portion of the sender field appears to be LastPass, while the actual sending email address is unrelated.

This can fool recipients, LastPass warned, as many email clients, especially mobile, show only the display name while the complete sender address is shown if it's expanded.

What LastPass users need to know

The emails ask the recipient to take action such as reporting suspicious activity, disconnecting and locking the vault, or revoking a device, via included links - links that direct the targets to fake Single Sign-On (SSO) pages that then collect their credentials.

"At the center of the phishing chain is the domain https[:]//verify-lastpass[.]com," said LastPass.

"Most malicious links redirect to this domain, but the attackers generate many slightly modified versions by adding different trailing numbers. This lets them produce a large set of URLs that all resolve to the same phishing page."

The emails originate from several addresses, including:

• office@hancochem.at
• admin@salud5i.cl
• no_reply@remstal-praxis.de
• demo@fluxstore.io
• no_reply@kreducationsa.com
• support@yodhafinance.com
• hr@bebran.com
• info@itpbusa.com

Subject lines include "Re: the details", "Re: pending approval", "Re: Access request pending", "Re: FYI", "RE: sign-in — TRZ-2302300", "Fwd: Re: your request" and "Re: credential download".

LastPass emphasized that it will never ask for their master password and said it is working with its third-party partners to have the offending sites taken down as soon as possible.

LastPass users face an array of threats

This is the second phishing campaign against LastPass users in the space of two months, highlighting the range of threats faced by customers.

In January, for example, fraudulent emails were distributed to users claiming that the site was due to undergo maintenance.

That particular campaign urged customers to back-up vaults within 24 hours, and some received phone calls from the scammers aimed at increasing pressure.

In October last year, another campaign used similar tactics, claiming that the company had been hacked.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.