Users of the LastPass password manager are being hit by a large‑scale phishing wave that began in mid‑October 2025. The lure impersonates LastPass’s Emergency Access feature to create urgency around a supposed inheritance scenario, pushing victims to “cancel” a fabricated request and, in the process, surrender credentials on a spoofed site.
How the phishing works: fake Emergency Access notifications
LastPass allows trusted contacts to request Emergency Access to a vault if the owner becomes incapacitated. If the owner does not deny the request within a set time window, access is granted automatically. Attackers are exploiting this legitimate workflow by sending emails claiming a “family member uploaded a death certificate,” complete with a fake request ID. The call to action leads to a phishing domain, lastpassrecovery[.]com, where victims are prompted for their master password.
The campaign also uses voice phishing (vishing): callers impersonate LastPass support to coax users into “verifying” data on the phishing page. Legitimate LastPass representatives do not ask for the master password by phone or through links in email—any such request is a red flag.
Attribution and objectives: CryptoChameleon (UNC5356)
Researchers attribute the operation to the financially motivated group CryptoChameleon (UNC5356), known for social-engineering playbooks that combine email phishing, SMS phishing, and vishing to maximize conversion. The same actor has previously targeted LastPass users and cryptocurrency holders, seeking to monetize stolen credentials, session tokens, and wallet access.
Why now: attackers adapt to passkeys and passwordless sign-in
The campaign reflects a clear pivot: beyond master passwords and session cookies, the operators are actively pursuing passkeys based on FIDO2/WebAuthn. Passkeys enable passwordless login using asymmetric cryptography and are being rapidly adopted across major ecosystems from Google, Apple, and Microsoft. Leading password managers—LastPass, 1Password, Dashlane, Bitwarden—now store and sync passkeys across devices, making them a valuable target for criminal tooling.
While passkeys are designed to be phishing‑resistant, attackers can still deceive users into registering or “recovering” keys on a counterfeit domain, effectively binding the cryptographic credential to the attacker’s site. The result is not a cryptographic break, but a social-engineering success that defeats user intent.
Infrastructure and targets: spoofed domains and login portals
Domains tailored for passkey theft
The phishing infrastructure includes domains such as mypasskey[.]info and passkeysetup[.]com for credential and passkey harvesting, alongside the more LastPass‑specific lastpassrecovery[.]com. The pages are designed to look authentic, mirroring branding, flows, and error messages users expect from legitimate services.
Broad service impersonation to capture tokens
Beyond LastPass, the operation stands up spoofed login pages for Okta, Gmail, iCloud, and Outlook, increasing the likelihood of obtaining primary credentials or session tokens that enable account takeover. The kitset also extends to major cryptocurrency platforms—Binance, Coinbase, Kraken, Gemini—indicating monetization pathways once access is achieved.
Risk analysis: master password, session cookies, and passkeys
Compromise of a LastPass master password—especially when paired with stolen session cookies—can open the door to vault access if additional checks are weak or absent. The targeted collection of passkeys is particularly concerning: by tricking users into performing account binding on a look‑alike domain, adversaries can undermine passwordless authentication and create durable, high‑fidelity access.
Defense recommendations: verification, configuration, and phishing‑resistant MFA
Verify URLs manually: avoid email links; open LastPass via the app or a trusted bookmark. Inspect the domain carefully, as attackers register look‑alike names and unusual TLDs to bypass quick visual checks.
Never enter the master password via email links or on a phone call. Treat “urgent” inheritance claims with skepticism and confirm any Emergency Access activity only through the official interface.
Review Emergency Access settings: audit trusted contacts, enable notifications for requests, reduce auto‑approval windows where possible, and remove outdated entries.
Harden authentication: prefer phishing‑resistant MFA (hardware‑backed FIDO2 security keys), enable login alerts, and regularly review active sessions. Keep browsers and extensions up to date and activate anti‑phishing protections.
Weaponizing Emergency Access is a reminder that adversaries exploit legitimate recovery processes to bypass user caution. Stay alert to inheritance‑themed messages, validate domains before any action, and interact with your vault only through official apps or the LastPass website. If you receive a suspicious notification or call, report it to LastPass support, rotate your master password, and, if compromise is suspected, re‑issue credentials and regenerate passkeys for critical services. Early disruption of the social‑engineering chain materially reduces the risk of account takeover and financial loss.
