Fake “LastPass Support” Email Threads Attempt to Steal Vault Passwords

By Azhar Khan
Fake “LastPass Support” Email Threads Attempt to Steal Vault Passwords

Overview of the Campaign

LastPass is warning customers about an ongoing phishing campaign that impersonates the company’s support team using spoofed display names and fabricated internal email threads. The messages are designed to create urgency and pressure recipients into clicking malicious links that ultimately lead to credential-stealing pages.

The emails typically appear to originate from “LastPass Support” and may include what looks like a forwarded internal conversation to add credibility.

How the Phishing Emails Work

The phishing emails use social engineering tactics to trigger fear and urgency. Common themes include:

  • Suspicious login activity alerts
  • Unauthorized device access warnings
  • Requests to review or secure account activity

The messages include clickable buttons or hyperlinks labeled:

  • “Report suspicious activity”
  • “Disconnect and lock vault”
  • “Revoke device”

These links redirect users to fraudulent websites designed to closely resemble legitimate LastPass login pages.

Malicious Domains and Lookalikes

Victims are directed to domains such as verify-lastpass[.]com and other similar lookalike domains crafted to mimic official LastPass infrastructure. These sites are engineered to harvest:

  • Email addresses
  • Account passwords
  • Master passwords

Once attackers obtain master passwords, they may attempt to access encrypted vault data or reuse credentials in other services.

Company Statement

LastPass has confirmed that its internal systems have not been breached in connection with this campaign. The phishing emails are external spoofing attempts and not the result of an internal compromise.

The company emphasizes that:

  • LastPass Support will never ask for your master password.
  • Legitimate communications will not pressure users to disclose sensitive credentials.
  • Users should verify URLs carefully before entering login details.

How to Stay Protected

To reduce risk from this campaign and similar phishing attempts, users should:

  • Avoid clicking links in unsolicited security alert emails.
  • Manually type the official LastPass URL into the browser.
  • Enable phishing-resistant multi-factor authentication (MFA).
  • Verify sender email domains carefully.
  • Use security tools that detect lookalike domains.

Suspicious messages should be reported directly to abuse@lastpass.com for investigation.

Broader Implications

Password managers are high-value targets for attackers because they centralize credentials for multiple accounts. Phishing campaigns that impersonate support teams are particularly effective due to the trust users place in security notifications.

This campaign highlights the importance of verifying communications independently and remaining cautious of urgent, action-driven security alerts.

Conclusion

The fake “LastPass Support” phishing campaign demonstrates how attackers are leveraging spoofed branding and fabricated internal email threads to trick users into revealing sensitive credentials. While LastPass systems remain uncompromised, users must stay vigilant and follow best practices to protect their vaults from credential harvesting attempts.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.