LastPass issues alert as customers targeted in new phishing campaign
The company says messages claiming that LastPass users need to backup vaults are false
LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign.
The password management firm said emails claiming the site is due to undergo maintenance have been circulating since 19 January. The messages include prompts for customers to backup vaults within the next 24 hours, LastPass revealed.
"Please be advised that LastPass is NOT asking customers to backup their vaults in the next 24 hours; rather, this is an attempt on the part of a malicious actor to generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails," said the firm in a statement.
The emails come with several different subject lines, including:
- "LastPass Infrastructure Update: Secure Your Vault Now”
- “Your Data, Your Protection: Create a Backup Before Maintenance”
- “Don’t Miss Out: Backup Your Vault Before Maintenance”
- “Important: LastPass Maintenance & Your Vault Security”
- “Protect Your Passwords: Backup Your Vault (24-Hour Window)”.
The sender addresses are support@sr22vegas[.]com and support@lastpass[.]server8/server7/server3.
IPs associated with the campaign include 192.168.16[.]19 and 172.23.182.202, LastPass confirmed.
How to spot the fake LastPass emails
The emails claim that a “legacy access” request has been opened – often using alarming language, such as even informing recipients they may be deceased – and include fake case details to appear legitimate.
Victims are directed to a fraudulent LastPass website that looks like the real thing, hosted at “group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf”, which then redirects to “mail-lastpass[.]com.”
Here they are prompted to enter their credentials. In some cases, the attackers also follow up with phone calls to increase pressure.
“This campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics we see in phishing attacks,” said a spokesperson for the threat intelligence, mitigation, and esalaction (TIME) team at LastPass.
“We want customers and the broader security community to be aware that LastPass will never ask for their master password or demand immediate action under a tight deadline. We thank our customers for staying vigilant and continuing to report suspicious activity.”
LastPass campaign looks to catch users off-guard
Notably, the campaign was timed for a holiday weekend in the US, probably in the hopes that this would mean reduced staffing levels that could delay detection and draw out response time.
"Please remember that no one at LastPass will ever ask for your master password. Rest assured, we are working with our third-party partners to have this domain taken down as soon as possible," said the firm.
"In the meantime, please take the appropriate precautions and, as always, if you are ever unsure whether a LastPass branded email is legitimate, submit it to abuse@lastpass.com."
The latest advisory marks the second time in six months that LastPass has been forced to put out an alert like this. A phishing campaign in October 2025 used similar tactics, claiming that the company had been hacked.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
European Commission awards digital sovereignty contractsNews The Commission has picked four providers to offer services for EU bodies, but one consortium includes Google Cloud
-
Acer Veriton GN100 reviewReviews The Nvidia DGX Spark-based system offers a huge amount of AI power thanks to the GB10 Superchip – but with a huge pricetag
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
LastPass issues alert as customers face second major phishing campaign of 2026News The campaign is the third to hit LastPass users in six months
-
A single compromised account gave hackers access to 1.2 million French banking recordsNews Ficoba has warned that “numerous” scams are already in circulation following the data breach
-
Starkiller: Cyber experts issue warning over new phishing kit that proxies real login pagesNews The Starkiller package offers monthly framework updates and documentation, meaning no technical ability is needed
