LastPass has issued a warning about a new phishing campaign that is targeting its users with fake maintenance emails.
The messages are designed to look like official LastPass notifications and claim that users must back up their password vaults within the next 24 hours.
According to LastPass, the emails try to create a sense of urgency by saying that upcoming maintenance could affect access to user data. The messages include a link that supposedly lets users create an encrypted backup of their vault. In reality, the link leads to a phishing site where attackers likely attempt to steal account details or trick users into revealing their master passwords.
LastPass has made it clear that these emails are not legitimate. The company says it is not asking users to back up their vaults within a short time window and that the messages are part of a social engineering attempt. Creating urgency is a common trick used in phishing to pressure people into clicking links without thinking carefully.
The company’s Threat Intelligence, Mitigation, and Escalation team believes the campaign began on January 19. The phishing emails were sent from suspicious addresses and used subject lines that closely imitate real security or maintenance alerts. The messages are written to look professional and reassuring, claiming that backups are needed to ensure uninterrupted access during maintenance.
Users who click the “Create Backup Now” button in these emails are redirected to a fake website that pretends to be related to LastPass. This site is meant to capture login details or other sensitive information. At the time of reporting, the phishing site appeared to be offline, but similar campaigns often return under new domains.
LastPass also noted that the attackers launched the campaign during a U.S. holiday weekend. This timing may have been chosen to reduce the chance of a quick response and to increase the success rate of the scam.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The company is reminding users that it will never ask for their master password and will not request urgent vault backups through email. Users who receive suspicious messages are encouraged to report them to LastPass at abuse@lastpass.com.
