LastPass recently warned about a phishing campaign that is disguised as a maintenance notice and asks users to back up their vault in a very short time. Fraudulent emails seek to generate haste and confidence at the same time: they present a supposed button to "create a backup" that redirects to a false site where attackers try to get account control or the user's master password.
Most importantly, LastPass is not asking users to back up their vaults in 24 hours. The company explained this in its official statement and requests that any suspicion be reported to its team of abuse by abuse @ lastpass.com. You can read the original LastPass ad on your blog to see the details and direct recommendations of the company: LastPass: new phishing campaign for customers.
According to his intelligence team's investigation, the campaign began in mid-January and the messages were sent from directions built to appear legitimate, for example variants with suspicious domains such as support @ lastpass.server8 or support @ sr22vegas.com. The link to the button leads to a false domain reported by LastPass as mail-lastpass.com which at the time of the notice was out of service, although such pages can be reappeared with rapid variations.
The hook used is classic: a notice that speaks of a "infrastructure update" or a "maintenance window" and that overcomes with the urgency of making a local copy so as not to lose access. That sense of alarm is precisely what the attackers are looking for: to force a quick reaction and to prevent the victim from thinking calmly or checking the authenticity of the message.
Why is it dangerous. If someone enters their master password, or completes forms in a site controlled by an attacker, there is a risk that the entire vault will be compromised. Although password managers encode the data, the master password remains the key: whoever captures it can decipher the contents or use access to start re-establishing sequences in other services.
In addition, bad actors often choose times when companies may be less available to respond quickly, such as public holidays, which reduces the likelihood of early detection and mitigation.
What to do if you get one of these emails. Do not press links or download anything from the message. Check the actual sender calmly, pass the cursor over the link to see the real address without clicking and open the official application or LastPass web from your browser by writing the URL directly or using a secure marker. It activates multifactor authentication if you don't have it, reviews the login activity and the active sessions from your account, and changes the master password only from the official tracks if you think it might have been exposed.
If you already gave data on a fake page, act quickly: change the master password, revoke sessions and keys, and consider restoring from a secure copy if your manager allows. It reports the incident to LastPass and the relevant authorities or platforms. For general guidance on how to recognize and report phishing, national security centres provide useful resources, for example the recommendations of the United Kingdom National Cyber Security Centre: NCSC - Phishing or the advice of the CISA in the United States: CISA - How to protect yourself from phishing.
It is important to remember that LastPass and other password managers are frequent targets because they centralize valuable credentials. In recent months, campaigns have been seen with very different lures - from false gaps alerts to emotional stories - that prove the creativity of the attackers. Therefore the constant recommendation is to doubt unexpected emails that ask for urgent action and always check through official channels before entering passwords or downloading tools.
The best defense is informed suspicion and digital prudence: never send your master password in response to an email, avoid following links to manage your account when you can enter the app or the official site, and keep the multifactor authentication on. If you need more information or want to check an email, LastPass keeps support resources on its help page: LastPass Support and remember to report any attempt to abuse @ lastpass.com.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...