LastPass issues alert as customers face second major phishing campaign of 2026
The campaign is the third to hit LastPass users in six months
LastPass customers are again being targeted by phishing emails that appear to be forwarded internal messages.
In a customer advisory, the password manager firm warned emails are being sent from several email addresses, with various subject lines, claiming there has been unauthorized access to individuals’ accounts.
"This is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails," the company warned.
The fake email chains are intended to make it appear as though another individual is trying to take unauthorized action on their LastPass account - for example, exporting vaults, attempting full account recovery, or registering a new trusted device.
Attackers use display name spoofing as part of the attack so that the name portion of the sender field appears to be LastPass, while the actual sending email address is unrelated.
This can fool recipients, LastPass warned, as many email clients, especially mobile, show only the display name while the complete sender address is shown if it's expanded.
What LastPass users need to know
The emails ask the recipient to take action such as reporting suspicious activity, disconnecting and locking the vault, or revoking a device, via included links - links that direct the targets to fake Single Sign-On (SSO) pages that then collect their credentials.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"At the center of the phishing chain is the domain https[:]//verify-lastpass[.]com," said LastPass.
"Most malicious links redirect to this domain, but the attackers generate many slightly modified versions by adding different trailing numbers. This lets them produce a large set of URLs that all resolve to the same phishing page."
The emails originate from several addresses, including:
- office@hancochem.at
- admin@salud5i.cl
- no_reply@remstal-praxis.de
- demo@fluxstore.io
- no_reply@kreducationsa.com
- support@yodhafinance.com
- hr@bebran.com
- info@itpbusa.com
Subject lines include "Re: the details", "Re: pending approval", "Re: Access request pending", "Re: FYI", "RE: sign-in — TRZ-2302300", "Fwd: Re: your request" and "Re: credential download".
LastPass emphasized that it will never ask for their master password and said it is working with its third-party partners to have the offending sites taken down as soon as possible.
LastPass users face an array of threats
This is the second phishing campaign against LastPass users in the space of two months, highlighting the range of threats faced by customers.
In January, for example, fraudulent emails were distributed to users claiming that the site was due to undergo maintenance.
That particular campaign urged customers to back-up vaults within 24 hours, and some received phone calls from the scammers aimed at increasing pressure.
In October last year, another campaign used similar tactics, claiming that the company had been hacked.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Cisco sounds alarm over new Russian malware campaign hitting firms in US and EuropeNews UAT-11795 is weaponizing legitimate software such as WebEx and Zoom to dupe victims
-
Why doesn't more data produce better results?ITPro Podcast Riverbed CIO Fernando Castanheira talks about data and how businesses can use it better
-
1Password teams up with Anthropic to give Claude access to your credentialsNews A new ‘zero-exposure’ security framework allows agents to use stored credentials in the 1Password vault
-
Multi-channel phishing attacks: How to manage the riskIn-depth Attackers are evolving beyond email towards phishing across multiple channels. Why is this, and what can be done to manage the risk?
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Dashlane lifts the lid on attack that saw hackers download encrypted user vaultsNews The company said it has now informed all affected customers, and taken action to shut down the operation
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees