A sophisticated phishing campaign is currently targeting users of the password management service LastPass. The attackers are sending deceptive support emails that aim to steal master passwords from unsuspecting individuals.
Identifying the Phishing Threat
Initiated around March 1, 2026, this campaign uses social engineering tactics to convince users that their accounts have been compromised. The goal is to make recipients willingly hand over their credentials by creating a false sense of urgency.
The attackers send emails that mimic internal communication threads, falsely indicating that unauthorized actions are being performed on the victim’s account. These actions include exporting vault data and initiating account recovery processes, pushing users to react impulsively.
Response and Mitigation Efforts
LastPass analysts, part of the TIME team, detected the campaign and issued a public advisory on March 3, 2026. They confirmed no direct threat to LastPass’s systems but highlighted the danger posed by users entering their credentials on fraudulent sites.
The phishing scheme involves redirecting users through multiple links to a fake single sign-on page hosted at verify-lastpass[.]com. Attackers frequently update the URL to evade basic security filters, complicating detection efforts.
Protecting Users Against Phishing Tactics
LastPass advises users to remain skeptical of unexpected emails concerning account activity and to report suspicious communications to [email protected]. The company emphasizes that it will never request master passwords via email.
A key element of this campaign is display name spoofing, where attackers manipulate the visible sender name while using unrelated email domains. This deception is particularly effective on mobile devices, where only the sender’s name is visible by default.
Upon clicking the email’s embedded link, victims are directed to a counterfeit LastPass login page. Entering credentials here grants attackers access to the user’s vault, putting all stored information at risk.
To safeguard against these threats, users should verify the full sender address in emails, avoid clicking links suggesting account issues, and directly access LastPass through its official website.
