On January 21, 2026, LastPass warned its users about a new and active phishing campaign aimed at stealing customers’ master passwords through fake official communications.
According to LastPass’s Threat Intelligence, Mitigation, and Escalation (TIME) team, the attack began around January 19, 2026 , and uses social engineering tactics to induce a sense of urgency.
Fraudulent emails use the pretext of upcoming service maintenance, urging recipients to create a local backup of their password vault within 24 hours . To maximize the effectiveness of the deception, the messages feature various subject lines, including:
The attack mechanism involves a link that initially directs the victim to an AWS bucket (group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf) and then redirects the victim to the malicious domain mail-lastpass[.]com , designed to mimic the original LastPass interface and capture the entered master password.
LastPass has firmly reiterated that it will never request a master password via email or force users to take immediate action under pressure. The company is working with external partners to dismantle the fraudulent infrastructure and has confirmed that the emails originate from the following suspicious addresses:
The company invites all users to pay maximum attention, not to click on suspicious links and to report any anomalies through official channels.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
