LastPass is warning its customers about a new phishing campaign that tricks users with fake emails claiming someone has requested access to their password vault.
The messages pretend to be part of the company’s inheritance feature, which allows family members to gain access in emergencies, such as death or incapacity.
According to LastPass, the campaign started in mid-October and has been linked to a financially motivated hacker group known as CryptoChameleon, also tracked as UNC5356. This group is known for using advanced phishing tools to steal cryptocurrency, previously targeting wallets like Binance, Coinbase, Kraken, and Gemini.
The phishing emails claim that a family member has uploaded a death certificate to request access to the user’s vault. To make the scam look more convincing, the email includes an agent ID number and asks recipients to click a link if they want to cancel the request. However, the link leads to a fake website, lastpassrecovery[.]com, that looks like a real LastPass login page. Victims who enter their master password there unknowingly give hackers full access to their accounts.
In some cases, the attackers even followed up with phone calls, pretending to be LastPass employees to pressure victims into entering their credentials on the fake site. LastPass confirmed that the attackers also set up fake domains such as mypasskey[.]info and passkeysetup[.]com to steal passkeys — a newer, passwordless login method used by modern password managers.
Passkeys rely on strong cryptography instead of traditional passwords and are becoming more common across platforms like LastPass, 1Password, Dashlane, and Bitwarden. Because they offer higher security, hackers have started focusing on ways to trick users into revealing them.
This is not the first time LastPass users have been targeted by CryptoChameleon. A similar phishing campaign hit customers in April 2024, and the new one appears to be larger and more sophisticated.
LastPass has urged users to stay cautious and never click links in suspicious emails. The company recommends verifying requests directly from the official LastPass app or website instead of responding to email notifications.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The warning follows a major security breach in 2022, when attackers stole encrypted vault backups from LastPass servers. That breach led to several follow-up attacks and cryptocurrency thefts totaling around $4.4 million.
