131/69 Friday, March 6, 2026
LastPass has issued a warning to users about a new phishing campaign that impersonates security alert emails claiming unauthorized account access or changes to a user’s Master Password. The attackers use display name spoofing to make the messages appear as if they originate from LastPass, increasing the likelihood that recipients will trust the emails and reveal their account credentials.
According to the Threat Intelligence and Mitigation Engineering (TIME) team at LastPass, the campaign has been active since early March 2026. Attackers are sending emails from multiple addresses with varying subject lines and formatting them to resemble forwarded internal email threads. These messages attempt to create the impression that suspicious activity has occurred, such as attempts to export a vault, recover an account, or register a new device. The tactic exploits limitations in some email clients-especially on mobile devices—that display only the sender’s name while hiding the actual email address unless expanded.
Within the email, recipients are urged to click links to perform actions such as reporting suspicious activity, locking their vault, or revoking device access. However, the links redirect victims to a fake login page hosted on the domain verify-lastpass[.]com, designed to steal sensitive credentials, particularly the user’s Master Password. LastPass emphasized that the company will never request a user’s Master Password through email or any other communication channel and is actively working to block the phishing infrastructure. Users are advised to remain cautious when receiving emails claiming to be from LastPass and to report suspicious messages to abuse@lastpass[.]com. The advisory also includes Indicators of Compromise (IoCs)-such as related URLs and IP addresses—to help organizations detect and mitigate potential attacks.