LastPass issues alert as customers targeted in new phishing campaign
The company says messages claiming that LastPass users need to backup vaults are false
LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign.
The password management firm said emails claiming the site is due to undergo maintenance have been circulating since 19 January. The messages include prompts for customers to backup vaults within the next 24 hours, LastPass revealed.
"Please be advised that LastPass is NOT asking customers to backup their vaults in the next 24 hours; rather, this is an attempt on the part of a malicious actor to generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails," said the firm in a statement.
The emails come with several different subject lines, including:
- "LastPass Infrastructure Update: Secure Your Vault Now”
- “Your Data, Your Protection: Create a Backup Before Maintenance”
- “Don’t Miss Out: Backup Your Vault Before Maintenance”
- “Important: LastPass Maintenance & Your Vault Security”
- “Protect Your Passwords: Backup Your Vault (24-Hour Window)”.
The sender addresses are support@sr22vegas[.]com and support@lastpass[.]server8/server7/server3.
IPs associated with the campaign include 192.168.16[.]19 and 172.23.182.202, LastPass confirmed.
How to spot the fake LastPass emails
The emails claim that a “legacy access” request has been opened – often using alarming language, such as even informing recipients they may be deceased – and include fake case details to appear legitimate.
Victims are directed to a fraudulent LastPass website that looks like the real thing, hosted at “group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf”, which then redirects to “mail-lastpass[.]com.”
Here they are prompted to enter their credentials. In some cases, the attackers also follow up with phone calls to increase pressure.
“This campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics we see in phishing attacks,” said a spokesperson for the threat intelligence, mitigation, and esalaction (TIME) team at LastPass.
“We want customers and the broader security community to be aware that LastPass will never ask for their master password or demand immediate action under a tight deadline. We thank our customers for staying vigilant and continuing to report suspicious activity.”
LastPass campaign looks to catch users off-guard
Notably, the campaign was timed for a holiday weekend in the US, probably in the hopes that this would mean reduced staffing levels that could delay detection and draw out response time.
"Please remember that no one at LastPass will ever ask for your master password. Rest assured, we are working with our third-party partners to have this domain taken down as soon as possible," said the firm.
"In the meantime, please take the appropriate precautions and, as always, if you are ever unsure whether a LastPass branded email is legitimate, submit it to abuse@lastpass.com."
The latest advisory marks the second time in six months that LastPass has been forced to put out an alert like this. A phishing campaign in October 2025 used similar tactics, claiming that the company had been hacked.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Abzorb cuts ribbon on new UK channel partner clinicsNews The expert-led, on-demand clinics have been designed to help partners tap into new connectivity revenue opportunities
-
CEOs are fed up with poor return on investment from AINews Most CEOs say they're struggling to turn AI investment into tangible returns and failing to move beyond exploratory projects
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struckNews A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Hacked London council warns 100,000 households at risk of follow-up scamsNews The council is warning residents they may be at increased risk of phishing scams in the wake of the cyber attack.
-
Warning issued as surge in OAuth device code phishing leads to M365 account takeoversNews Successful attacks enable full M365 account access, opening the door to data theft, lateral movement, and persistent compromise
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
