Hackers Mimic LastPass Support Email to Steal Vault Passwords

A new and carefully crafted phishing campaign is currently targeting LastPass users, with attackers sending fake support emails designed to steal vault master passwords.

The campaign, which began on or around March 1, 2026, relies on social engineering tactics to trick users into believing their accounts have been compromised, pushing them to hand over their credentials willingly.​

The attackers behind this operation are forwarding fabricated email chains that appear to show another individual attempting unauthorized actions on the target’s LastPass account.

These fake actions include exporting vault data, triggering a full account recovery, or registering a new trusted device.

By presenting what looks like an ongoing internal email thread, the attackers create an immediate sense of urgency, pushing the victim to click on provided links and act before any supposed damage is done.

This tactic of manufacturing panic to force a quick response is a hallmark of social engineering attacks.​

LastPass analysts from the TIME team identified the campaign and issued a public advisory on March 3, 2026, confirming that the phishing operation was active.

The team noted that there is no impact to LastPass systems themselves, but the real risk lies in users voluntarily submitting their credentials on fake login pages. The TIME team is actively working with third-party partners to take the malicious sites offline as quickly as possible.​

The scale of this campaign is significant. Attackers are routing victims through multiple redirect links before landing them on a fraudulent single sign-on login page hosted at verify-lastpass[.]com.

This domain acts as the central collection point for stolen credentials. To make detection harder, the attackers generate slightly modified versions of the URL by adding different trailing numbers, producing a large pool of unique-looking links that all point to the same phishing page.

This approach also helps some of the links slip past basic URL-filtering tools used by email security gateways.​

Every LastPass user should treat any unexpected email referencing account activity with strong suspicion. LastPass has confirmed that its team will never ask for your master password through email or any other communication channel.

Anyone uncertain about whether a LastPass branded email is genuine should report it directly to abuse@lastpass.com for the security team to investigate.​

Display Name Spoofing: How the Deception Holds Up

The most technically effective element of this campaign is the use of display name spoofing. In this technique, the attacker manipulates only the visible name shown in the sender field of an email, while the actual sending address belongs to a completely unrelated domain.

When a target receives one of these messages, they may see a name like “LastPass Support,” which looks completely legitimate at first glance.

The real sending addresses, however, come from domains such as hancochem[.]at, salud5i[.]cl, remstal-praxis[.]de, and kreducationsa[.]com — none of which are connected to LastPass in any way.​

This technique is especially effective against mobile users, since most mobile email applications display only the sender’s name by default.

To check the actual sending address, a user has to manually expand the sender field, which many people do not do — particularly when an email already appears to come from a trusted source.

Attackers lean into this behavior deliberately, crafting their fake correspondence to look like a real back-and-forth thread to add even more credibility to the deception.​

Once a victim clicks a link embedded in the email, they are taken to what appears to be a legitimate LastPass single sign-on page with matching branding.

The moment a user enters their master password, the attacker captures it and gains full access to everything stored inside the vault. These phishing pages are being served from IP addresses including 172.67.200[.]82, 104.21.21[.]204, and 52.102.103[.]4.

Users are strongly advised to always inspect the full sender address in any security-related email, avoid clicking links that claim account activity has been detected, and go directly to the official LastPass website by typing the address into a browser instead.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Mimic LastPass Support Email to Steal Vault Passwords appeared first on Cyber Security News.