**
Crooks Impersonate LastPass in Campaign to Harvest Master Passwords
**LastPass, a popular password manager, has issued a warning about an active phishing campaign that aims to steal users' master passwords. The campaign, which began around January 19, 2026, uses emails that claim urgent maintenance and urge users to back up their password vaults within 24 hours.
The phishing emails use subject lines that reference infrastructure updates, vault security, and missed deadlines in an attempt to trick victims into revealing their master passwords. LastPass has confirmed that these emails are being sent from several email addresses with various subject lines, and the company is working to take down the malicious domain.
"The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team would like to alert our customers to an active phishing campaign that began on or around January 19, 2026," reads the alert. "These phishing emails are being sent from several email addresses with various subject lines claiming that LastPass is about to conduct maintenance and urging users to backup their vaults in the next 24 hours."
The campaign uses links that claim to help users back up their LastPass vaults, but these links lead to an Amazon S3-hosted phishing page ("group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf") that redirects to a fake LastPass site ("mail-lastpass[.]com). The attackers launched the campaign over a US holiday weekend, taking advantage of reduced staffing and hoping to delay detection and response.
LastPass is urging users to exercise caution when receiving emails claiming to be from the company. "We will never ask for master passwords," the company emphasizes. Users are also advised to report suspicious messages to [email protected], and LastPass has shared indicators of compromise, including fake domains, IP addresses, sender details, and phishing email subject lines.
The timing of the campaign is not surprising, as threat actors often try to take advantage of reduced staffing during holidays. "The timing of the campaign, which fell over a holiday weekend in the United States, is a common tactic among threat actors seeking to take advantage of reduced staffing under the assumption it will postpone detection and draw out response time," concludes the report.
In related news, blockchain intelligence firm TRM Labs warned in December 2025 that encrypted vault backups stolen in the 2022 LastPass breach are still being cracked using weak master passwords, enabling crypto theft as late as 2025. Earlier this month, the U.K. ICO fined the password manager £1.2m ($1.6m) for inadequate security measures that failed to prevent the breach.
Stay informed about cybersecurity threats and news by following me on Twitter: @securityaffairs and Facebook and Mastodon.