Password manager provider LastPass is warning customers about an ongoing phishing campaign designed to steal login credentials by impersonating legitimate account activity notifications.
According to the LastPass’ Threat Intelligence, Mitigation, and Escalation (TIME) team, the campaign began around March 1, 2026 and relies on fake email chains crafted to look like internal discussions about suspicious account activity.
These messages typically claim someone attempted to perform actions such as exporting a password vault, registering a new trusted device, or initiating account recovery. The goal is to create urgency and prompt recipients to investigate the supposed activity.
Attackers are using display name spoofing to make the emails appear as though they come from LastPass. Many email clients, especially mobile ones, show only the sender’s display name by default, making it easier to conceal the actual email address used to send the message.
Victims who follow the instructions are directed to a fraudulent login page hosted on domains designed to mimic the brand. The primary site identified in the campaign is verify-lastpass[.]com, which hosts a fake single sign-on page intended to capture user credentials.
Security researchers say attackers are also using multiple redirect links and slightly modified URLs to evade detection and prolong the campaign. Several compromised or unrelated email domains have been used to distribute the phishing messages.
LastPass emphasized that its systems have not been breached, and the campaign relies solely on social engineering techniques targeting users directly.
The company advises customers to remain cautious when receiving unexpected security alerts or login warnings via email. LastPass also says no employee will ever ask for a user’s master password.
Anyone who suspects they may have entered credentials into a fraudulent page should immediately change their password and review account security settings.
Phishing campaigns that impersonate trusted brands remain one of the most common attack vectors in cybersecurity, often succeeding by exploiting urgency and familiarity rather than technical vulnerabilities. Always verify messages, suspicious or not, to ensure validity before taking any action.
Leave a Reply