LastPass is warning customers about an ongoing **phishing campaign** by the financially motivated threat group **CryptoChameleon (UNC5356)**, targeting its users since mid-October. The attack involves fraudulent emails impersonating LastPass’s legacy inheritance process, claiming a family member requested access to the victim’s password vault via a fake death certificate. Users are tricked into clicking a malicious link redirecting them to a spoofed login page (**lastpassrecovery[.]com**), where they are prompted to enter their **master password**. In some cases, attackers also posed as LastPass support staff via phone calls to manipulate victims further.The campaign has evolved to include **passkey-focused phishing domains** (e.g., **mypasskey[.]info**), indicating attempts to steal modern authentication credentials. This follows LastPass’s **2022 breach**, where encrypted vault backups were stolen, leading to subsequent cryptocurrency thefts totaling **$4.4 million**. The latest attack exploits psychological manipulation and technical deception to compromise user accounts, potentially granting attackers access to sensitive credentials stored in LastPass vaults.
TPRM report: https://www.rankiteo.com/company/lastpass
"id": "las1192211102425",
"linkid": "lastpass",
"type": "Cyber Attack",
"date": "6/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'unknown (campaign described as '
"'extensive')",
'industry': 'cybersecurity',
'location': 'global (users worldwide)',
'name': 'LastPass',
'type': 'password manager service'}],
'attack_vector': ['email phishing',
'fake inheritance request',
'voice phishing (vishing)',
'fraudulent login pages'],
'customer_advisories': 'Users advised to ignore inheritance requests unless '
'independently verified, avoid entering credentials on '
'linked sites, and report suspicious activity.',
'data_breach': {'data_encryption': 'N/A (credentials voluntarily entered by '
'users on fake sites)',
'data_exfiltration': 'likely (if credentials entered on '
'phishing sites)',
'personally_identifiable_information': 'high risk (if vaults '
'accessed)',
'sensitivity_of_data': 'high (passwords, cryptographic keys, '
'financial access)',
'type_of_data_compromised': ['master passwords',
'passkeys',
'potential vault data (if '
'credentials reused)']},
'date_detected': 'mid-October 2023',
'description': 'LastPass is warning customers of a phishing campaign sending '
'emails with an access request to the password vault as part '
'of a legacy inheritance process. The activity, attributed to '
'the financially motivated threat group CryptoChameleon '
'(UNC5356), started in mid-October 2023 and has evolved to '
'target passkeys as well. The phishing emails claim a family '
"member requested access to the victim's LastPass vault via a "
'fabricated death certificate, redirecting users to a '
'fraudulent login page (lastpassrecovery[.]com) to steal '
'credentials. In some cases, threat actors posed as LastPass '
'staff to direct victims to the phishing site. The campaign '
'also uses passkey-focused phishing domains like '
'mypasskey[.]info and passkeysetup[.]com. This follows a 2022 '
'data breach where encrypted vault backups were stolen, linked '
'to subsequent cryptocurrency losses of ~$4.4 million.',
'impact': {'brand_reputation_impact': 'high (repeated targeting of LastPass '
'users, erosion of trust in security)',
'customer_complaints': 'likely (based on phishing volume)',
'data_compromised': ['LastPass master passwords',
'passkeys',
'potential vault contents'],
'financial_loss': '$4.4 million (from 2022 breach-linked '
'cryptocurrency losses; current campaign losses '
'unspecified)',
'identity_theft_risk': 'high (stolen credentials could enable '
'broader account takeovers)',
'payment_information_risk': 'high (cryptocurrency wallets '
'targeted)',
'systems_affected': ['LastPass user accounts',
'passkey storage systems']},
'initial_access_broker': {'data_sold_on_dark_web': "likely (based on group's "
'modus operandi)',
'entry_point': 'phishing emails (legacy inheritance '
'requests)',
'high_value_targets': ['cryptocurrency wallet '
'credentials',
'passkeys',
'password vaults'],
'reconnaissance_period': 'likely extensive (group '
'known for targeting '
'crypto wallets since at '
'least 2022)'},
'investigation_status': 'ongoing (active campaign as of April 2024)',
'lessons_learned': 'Threat actors are increasingly targeting passwordless '
'authentication methods (e.g., passkeys) and exploiting '
'psychological triggers (e.g., inheritance processes). '
'Legacy features in security products can become attack '
'vectors if not rigorously secured against social '
'engineering. User education remains critical to combat '
'sophisticated phishing.',
'motivation': 'financial gain (cryptocurrency theft)',
'post_incident_analysis': {'root_causes': ['Exploitation of trust in '
"LastPass's legacy inheritance "
'feature.',
'Lack of robust verification for '
'high-risk access requests.',
'Passkey storage in password '
'managers becoming a target for '
'credential theft.',
'User susceptibility to social '
'engineering (urgency, authority '
'impersonation).']},
'recommendations': ['Enable multi-factor authentication (MFA) for all '
'critical accounts, including password managers.',
'Verify inheritance/access requests through out-of-band '
'channels (e.g., phone calls to trusted contacts).',
'Use hardware security keys (e.g., YubiKey) for passkey '
'storage to resist phishing.',
'Monitor for suspicious domains spoofing legitimate '
'services (e.g., lastpassrecovery[.]com).',
'Implement delays or additional verification for '
'high-risk actions like inheritance requests.',
'Educate users on recognizing vishing (voice phishing) '
'tactics.'],
'references': [{'source': 'LastPass Blog'}],
'response': {'communication_strategy': ['blog post', 'media alerts'],
'containment_measures': ['public advisory to users',
'warning about phishing domains'],
'incident_response_plan_activated': 'likely (public warning '
'issued)'},
'stakeholder_advisories': 'Public warning issued to LastPass users.',
'threat_actor': 'CryptoChameleon (UNC5356)',
'title': 'Phishing Campaign Targeting LastPass Users via Fake Legacy '
'Inheritance Process',
'type': ['phishing',
'social engineering',
'credential theft',
'passkey theft'],
'vulnerability_exploited': ['human trust in legacy inheritance process',
'lack of multi-factor authentication (MFA) '
'enforcement on phishing sites',
'passkey storage in password managers']}