Critical Phishing Campaign Targets LastPass Users in Sophisticated Attack
A high-severity phishing campaign targeting LastPass users began on January 19, 2026, with attackers impersonating the company’s support team to steal master passwords. The fraudulent emails falsely claim an urgent need for vault backups within 24 hours, leveraging social engineering to exploit user trust.
LastPass has confirmed that it never requests master passwords or demands immediate vault backups via email, emphasizing that legitimate communications avoid unsolicited urgent actions. The campaign was strategically launched over a U.S. holiday weekend, a tactic designed to capitalize on reduced security staffing and slower incident response times commonly exploited by threat actors to evade detection.
The phishing infrastructure relies on two key components: an initial redirect hosted on compromised AWS S3 buckets and a spoofed domain mimicking LastPass’s legitimate services. LastPass is actively working with third-party partners to dismantle the malicious infrastructure and urges users to delete any suspicious emails and report them to [email protected] for further analysis.
Organizations are advised to bolster email security controls to block messages from identified sender addresses and reinforce phishing awareness, particularly regarding urgent language and credential requests. The incident underscores the persistent risk of credential harvesting campaigns targeting password manager users.
Source: https://cybersecuritynews.com/lastpass-warns-of-fake-maintenance-message/
LastPass cybersecurity rating report: https://www.rankiteo.com/company/lastpass
Amazon cybersecurity rating report: https://www.rankiteo.com/company/amazon
"id": "LASAMA1769009064",
"linkid": "lastpass, amazon",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'LastPass users (unspecified '
'number)',
'industry': 'Cybersecurity, Password Management',
'name': 'LastPass',
'type': 'Company'}],
'attack_vector': 'Email',
'customer_advisories': 'LastPass users advised to delete suspicious emails, '
'report them to [email protected], and avoid '
'responding to unsolicited urgent requests for '
'credentials.',
'data_breach': {'personally_identifiable_information': 'Potentially (if '
'vaults contained PII)',
'sensitivity_of_data': 'High (password manager credentials)',
'type_of_data_compromised': 'Master passwords, Vault backups'},
'date_detected': '2026-01-19',
'description': 'A high-severity phishing campaign targeting LastPass users '
'began on January 19, 2026, with attackers impersonating the '
'company’s support team to steal master passwords. The '
'fraudulent emails falsely claim an urgent need for vault '
'backups within 24 hours, leveraging social engineering to '
'exploit user trust. LastPass confirmed it never requests '
'master passwords or demands immediate vault backups via '
'email. The campaign was launched over a U.S. holiday weekend '
'to exploit reduced security staffing and slower incident '
'response times. The phishing infrastructure uses compromised '
'AWS S3 buckets and a spoofed domain mimicking LastPass’s '
'services. LastPass is working with third-party partners to '
'dismantle the malicious infrastructure and urges users to '
'delete suspicious emails and report them to '
'[email protected].',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'phishing impersonation',
'data_compromised': 'Master passwords, Vault backups',
'identity_theft_risk': 'High (master passwords compromised)'},
'initial_access_broker': {'entry_point': 'Phishing email',
'high_value_targets': 'LastPass users'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Phishing campaigns often exploit reduced security '
'staffing during holidays. Urgent language and credential '
'requests in emails should be treated with heightened '
'suspicion. Password manager users are high-value targets '
'for credential harvesting.',
'motivation': 'Credential Harvesting',
'post_incident_analysis': {'corrective_actions': 'Dismantling phishing '
'infrastructure, blocking '
'malicious sender addresses, '
'reinforcing user education '
'on phishing risks.',
'root_causes': 'Exploitation of user trust via '
'social engineering, use of '
'compromised AWS S3 buckets and '
'spoofed domains, timing attack '
'during holiday weekend to evade '
'detection.'},
'recommendations': 'Bolster email security controls to block messages from '
'identified sender addresses. Reinforce phishing awareness '
'training, particularly regarding urgent language and '
'unsolicited credential requests. Encourage users to '
'report suspicious emails to designated abuse contacts.',
'references': [{'source': 'LastPass Advisory'}],
'response': {'communication_strategy': 'Advising users to report suspicious '
'emails to [email protected], '
'clarifying legitimate communication '
'practices',
'containment_measures': 'Working to dismantle phishing '
'infrastructure, urging users to delete '
'suspicious emails',
'remediation_measures': 'Reinforcing phishing awareness, '
'blocking identified sender addresses',
'third_party_assistance': 'Yes (partners to dismantle malicious '
'infrastructure)'},
'stakeholder_advisories': 'Organizations advised to block identified sender '
'addresses and reinforce phishing awareness.',
'title': 'Critical Phishing Campaign Targets LastPass Users in Sophisticated '
'Attack',
'type': 'Phishing',
'vulnerability_exploited': 'Social Engineering, Trust Exploitation'}