Password manager LastPass warns of an active phishing campaign impersonating the service to steal users’ master passwords.
LastPass warned users about an active phishing campaign that began around January 19, 2026. Attackers impersonate the service with emails claiming urgent maintenance and urge users to back up their password vaults within 24 hours.
The messages use subject lines referencing infrastructure updates, vault security, and missed deadlines to trick victims into revealing their master passwords.
*“LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team would like to alert our customers to an active phishing campaign that began on or around January 19…
Password manager LastPass warns of an active phishing campaign impersonating the service to steal users’ master passwords.
LastPass warned users about an active phishing campaign that began around January 19, 2026. Attackers impersonate the service with emails claiming urgent maintenance and urge users to back up their password vaults within 24 hours.
The messages use subject lines referencing infrastructure updates, vault security, and missed deadlines to trick victims into revealing their master passwords.
“LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team would like to alert our customers to an active phishing campaign that began on or around January 19, 2026.” reads the alert. “These phishing emails are being sent from several email addresses with various subject lines claiming that LastPass is about to conduct maintenance and urging users to backup their vaults in the next 24 hours. The known list of email addresses and subject lines can be found below.”
The campaign uses phishing emails with links claiming to help users back up their LastPass vaults. The links lead to an Amazon S3–hosted phishing page (“group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf”) that redirects to a fake LastPass site (“mail-lastpass[.]com). Attackers launched the campaign over a US holiday weekend to exploit reduced staffing and delay detection and response.
LastPass warns users it will never ask for master passwords and urges caution over phishing emails. The company is working to take down the malicious domain, asks users to report suspicious messages to [email protected], and shared indicators of compromise, including fake domains, IP addresses, sender details, and phishing email subject lines.
“The timing of the campaign, which fell over a holiday weekend in the United States, is a common tactic among threat actors seeking to take advantage of reduced staffing under the assumption it will postpone detection and draw out response time.” concludes the report.
In December 2025, the blockchain intelligence firm TRM Labs warned that encrypted vault backups stolen in the 2022 LastPass breach are still being cracked using weak master passwords, enabling crypto theft as late as 2025.
Earlier December, the U.K. ICO fined the password manager £1.2m ($1.6m ) for inadequate security measures that failed to prevent the breach.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs** – hacking, LastPass)**