LastPass has alerted about an active phishing campaign that tries to supplant the password manager to fool users and get them to deliver their master password. The wave of fraudulent emails, detected from 19 January 2026, uses excuses related to alleged maintenance and requests victims to "create a local copy" of their vault within a very short time, with the intention of causing an impulsive reaction.
The attackers send messages with issues that imitate official communications, seeking to convey urgency and legitimacy. From LastPass they explain that this tactic - pressure with short deadlines and security alerts - is one of the most effective in phishing campaigns because it pushes users to skip simple checks. The company has insisted that will never request the master password by mail and that it will not impose immediate action periods to recover or export vaults.
The deception redirects the victims first to an infrastructure controlled by the attackers, housed in a S3 bucket with a route similar to "group-content-gen2.s3.eu-west-3.amazonaws [.] com / 5yaVgx51ZzGf," and from there to a domain that simulates to belong to LastPass, identified asmail-lastpass [.] com. LastPass has published information about the campaign and is coordinating with external partners to try to break down the malicious infrastructure; your official notice can be consulted on your corporate blog: blog.lastpass.com. In addition, the fraudulent domain has been recorded and analysed in intelligence services such as VirusTotal: virusTotal - mail-lastpass [.] com.
LastPass has also provided the mail addresses from which malicious messages come, to help users identify them: for example, they appear as support @ sr22vegas [.] com and variants that try to look legitimate (support @ lastpass [.] server8, support @ lastpass [.] server7, support @ lastpass [.] server3). Showing the home addresses makes it easy to check whether a mail comes from a real source or not, as attackers often use similar domains or compromised servers to give appearance of authenticity.
What a risk it is to fall into this trap. If an attacker gets the master password, he has potential access to the whole set of credentials stored in the user's vault, which can allow for critical service accountability, financial information theft and identity supplanting. Although many vaults are encrypted and some managers apply additional protection mechanisms, the master password exposure remains the most direct path for a serious commitment.
To avoid being a victim it is appropriate to follow simple but effective practices: if you receive an email that requires immediate action, do not press links or download attached files; open the password manager or the official website by writing the URL manually or using a reliable marker; check the sender calmly and check the spelling and tone of the message; and, where possible, activate additional authentication factors to protect access to your account. The cyber security authorities and teams recommend similar steps as general measures against phishing - you can read practical guides in public entities such as the U.S. Infrastructure Security and Cybersecurity Agency. United States (CISA) CISA - Tips against phishing or the United Kingdom National Cyber Security Centre NCSC - phishing.
LastPass has thanked customers who report suspicious emails and has stressed the importance of collaboration between users and security teams to address such campaigns. Specialized media in cybersecurity have also collected the news and interviewed spokespersons of the company's Threat, Mitigation and Escalating Intelligence (TIME) team, which highlight the attackers' intention to generate a false sense of urgency to force human errors; more information and context can be found in technological portals such as The Hacker News.
If you think you have responded to such an email and you have entered your master password on a suspicious page, act quickly: change the master password from a secure device, check the access and active sessions in your account, and consider restoring critical service passwords if there are signs of abuse. It is also recommended to notify the incident to LastPass and the support channels of the service concerned so that they can take action and alert other users.
The lesson left by this episode is double: on the one hand, attackers continue to sophisticate their methods of exploiting haste and trust; on the other, the collective response - attentive users, suppliers who publish notices and platforms that act to remove malicious infrastructure - remains the most effective defense. Maintaining basic digital security habits and distrust of urgent mail requests remains, today more than ever, an essential measure.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...