Users of the popular password manager LastPass are being targeted in a new phishing campaign that impersonates official maintenance notifications. Attackers are sending emails that urge recipients to create a backup of their password vault within 24 hours, with the real goal of stealing their master passwords.
New LastPass phishing campaign mimics maintenance notifications
According to LastPass, the campaign appears to have begun around 19 January. Victims receive emails that look like legitimate support messages, sent from addresses such as support@lastpass[.]server3 and support@sr22vegas[.]com. The subject lines, branding, and layout closely imitate genuine LastPass communications and reference alleged “scheduled maintenance” of the service.
The message claims that due to upcoming infrastructure work, users must immediately create a local encrypted backup of their password vault to avoid losing access. A prominent button labeled Create Backup Now is positioned as the only way to ensure continuous availability of passwords.
Clicking the button does not lead to the legitimate LastPass website but instead redirects to a spoofed domain, mail-lastpass[.]com. There, users are prompted to enter their LastPass credentials and master password. This is a textbook phishing flow: attackers never break LastPass’s encryption directly but attempt to capture the master password—the single secret that unlocks the entire vault.
Social engineering, urgency, and timing of the phishing attack
LastPass stresses that it never instructs customers to create backups of their vault within 24 hours and does not use email to demand urgent, irreversible actions. A strict deadline is a classic social engineering tactic designed to create pressure and reduce critical thinking, pushing users to click before verifying authenticity.
The campaign is also timed to public holidays in the United States, when many organizations operate with reduced staff. Historically, phishing success rates are higher during weekends and holidays, when users have less access to IT and security teams and are more likely to act alone on suspicious messages.
Why password managers are high-value phishing targets
Password managers like LastPass centralize access to dozens or even hundreds of services—email, social networks, cloud platforms, corporate VPNs, and financial accounts. As a result, compromising a single master password can provide attackers with a powerful foothold across both personal and corporate systems.
Industry reports, including the Verizon Data Breach Investigations Report and annual statistics from the FBI Internet Crime Complaint Center (IC3), consistently show that phishing remains one of the leading initial access vectors in cyber incidents. Threat actors increasingly focus on services where one set of credentials unlocks many downstream applications—exactly the model used by password managers.
Previous phishing attacks against LastPass customers
This is not the first time LastPass users have been targeted by sophisticated phishing schemes. In October 2025, attackers reportedly distributed fake death certificates of account owners to initiate “inheritance” access procedures, attempting to trick support or third parties into granting control over vaults.
Another campaign observed in September of the previous year involved phishing emails urging users to install a supposedly “more secure” desktop client to replace a “vulnerable” version. In reality, the download was malicious software designed to harvest passwords and other sensitive data from compromised devices.
How to spot fake LastPass emails and protect your master password
Minimizing the risk of password vault compromise requires a combination of technical controls and user awareness. Several practical measures can significantly reduce exposure to LastPass phishing attacks:
1. Verify sender domains and all links. Genuine LastPass messages originate from official domains such as lastpass.com. Addresses containing extra words, numbers, unusual subdomains, or non-standard TLDs (server3, vegas, etc.) should be treated as suspicious. Hover over any button or hyperlink before clicking and carefully inspect the URL for subtle misspellings or additional words.
2. Treat urgent deadlines and account threats as red flags. Phrases like “create a backup within 24 hours,” “confirm your account immediately,” or “your access will be revoked” are common in phishing email scams. Large, reputable services rarely use ultimatum-style language, especially for core security functions.
3. Never enter your master password via an email link. For LastPass or any password manager, open the service only through the official app or by manually typing the URL into your browser. Any unsolicited message that directly or indirectly asks for your master password should be assumed malicious until verified through another channel.
4. Enable multi-factor authentication (MFA). Adding a second factor—such as a hardware security key, authenticator app, or biometrics—significantly raises the bar for attackers. Even if they manage to capture your master password, phishing-resistant MFA can prevent full account takeover.
5. Train staff and keep security policies current. For organizations, regular phishing awareness training, simulated campaigns, and clear incident-reporting procedures are critical. Multiple independent studies show that ongoing training can markedly reduce click-through rates on phishing emails and improve early detection of attacks.
The latest LastPass phishing wave underscores a recurring reality in cybersecurity: even well-designed encryption and robust platforms can be undermined when attackers successfully manipulate users. Careful scrutiny of security emails, strict control over when and where the master password is entered, consistent use of MFA, and continuous user education remain essential measures for protecting password managers and safeguarding critical digital assets.
