"This campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics we see in phishing attacks, a spokesperson for the Threat Intelligence, Mitigation, and Escalation (TIME) team at LastPass told The Hacker News in a statement."
"We want customers and the broader security community to be aware that LastPass will never ask for their master password or demand immediate action under a tight deadline. We thank our customers for staying vigilant and continuing to report suspicious activity."
An active phishing campaign impersonating LastPass began on or around January 19, 2026, targeting users with urgent emails instructing them to create local backups within 24 hours. Subject lines include maintenance- and backup-themed prompts designed to create a false sense of urgency. The emails direct recipients to a phishing S3 URL that then redirects to mail-lastpass[.]com. Messages originate from spoofed addresses such as support@sr22vegas[.]com and several support@lastpass.[.]server hosts. LastPass will never ask for master passwords, is working with third parties to remove malicious infrastructure, and urges vigilance against credential-stealing tactics.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]