LastPass issues alert as customers face second major phishing campaign of 2026 - ITPro

(Image credit: Getty Images) Share Copy link Facebook X Linkedin Bluesky Share this article Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter LastPass customers are again being targeted by phishing emails that appear to be forwarded internal messages. In a customer advisory, the password manager firm warned emails are being sent from several email addresses, with various subject lines, claiming there has been unauthorized access to individuals’ accounts. "This is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails," the company warned. The fake email chains are intended to make it appear as though another individual is trying to take unauthorized action on their LastPass account - for example, exporting vaults, attempting full account recovery, or registering a new trusted device. Attackers use display name spoofing as part of the attack so that the name portion of the sender field appears to be LastPass, while the actual sending email address is unrelated. This can fool recipients, LastPass warned, as many email clients, especially mobile, show only the display name while the complete sender address is shown if it's expanded. What LastPass users need to know The emails ask the recipient to take action such as reporting suspicious activity, disconnecting and locking the vault, or revoking a device, via included links - links that direct the targets to fake Single Sign-On (SSO) pages that then collect their credentials. "At the center of the phishing chain is the domain https[:]//verify-lastpass[.]com," said LastPass. "Most malicious links redirect to this domain, but the attackers generate many slightly modified versions by adding different trailing numbers. This lets them produce a large set of URLs that all resolve to the same phishing page." The emails originate from several addresses, including: office@hancochem.at admin@salud5i.cl no_reply@remstal-praxis.de demo@fluxstore.io no_reply@kreducationsa.com support@yodhafinance.com hr@bebran.com info@itpbusa.com Subject lines include "Re: the details", "Re: pending approval", "Re: Access request pending", "Re: FYI", "RE: sign-in — TRZ-2302300", "Fwd: Re: your request" and "Re: credential download". LastPass emphasized that it will never ask for their master password and said it is working with its third-party partners to have the offending sites taken down as soon as possible. LastPass users face an array of threats This is the second phishing campaign against LastPass users in the space of two months, highlighting the range of threats faced by customers. In January, for example, fraudulent emails were distributed to users claiming that the site was due to undergo maintenance. That particular campaign urged customers to back-up vaults within 24 hours, and some received phone calls from the scammers aimed at increasing pressure. In October last year, another campaign used similar tactics, claiming that the company had been hacked. FOLLOW US ON SOCIAL MEDIA Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews. You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky. Emma Woollacott Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles. Latest Cyber crime activities peak later in life Acer launches new Channel Partner Portal on 50th anniversary You might also like Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secrets A single compromised account gave hackers access to 1.2 million French banking records Starkiller: Cyber experts issue warning over new phishing kit that proxies real login pages Using AI to generate passwords is a terrible idea, experts warn Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company responded Security experts warn Substack users to brace for phishing attacks after breach Google issues warning over ShinyHunters-branded vishing campaigns Hackers are using LLMs to generate malicious JavaScript in real time – and they’re going after web browsers VIEW MORE ▸