A sophisticated phishing campaign is currently targeting LastPass users, employing fake support emails to trick individuals into divulging their vault master passwords. This operation, which began around March 1, 2026, leverages social engineering tactics to create a sense of urgency and fear of account compromise, thereby coercing users into voluntarily surrendering their sensitive credentials. The primary goal of these hackers mimicking LastPass support email to steal vault passwords is to gain unauthorized access to users’ password managers.
LastPass analysts from the TIME team identified and publicly disclosed the active phishing operation on March 3, 2026. While the company assures that its own systems remain unaffected, the significant risk lies in users being directed to fraudulent login pages where they input their master passwords. The TIME team is actively collaborating with third-party partners to expedite the removal of these malicious websites.
Display Name Spoofing: The Deceptive Tactic
A key element contributing to the effectiveness of this campaign is the attackers’ skillful use of display name spoofing. This technique involves manipulating the visible sender name in an email to appear as if it originates from a trusted source, such as “LastPass Support.” However, the actual sending email address originates from unrelated domains, including examples like hancochem[.]at, salud5i[.]cl, remstal-praxis[.]de, and kreducationsa[.]com. These domains bear no connection to LastPass.
This method is particularly insidious for users accessing emails on mobile devices, as many email applications default to displaying only the sender’s name. The actual sending address, which would reveal the deception, requires users to manually expand the sender field, an action many overlook, especially when the visible sender appears legitimate. Attackers exploit this by fabricating email chains that simulate genuine internal communications, thereby enhancing the believability of their fraudulent messages.
The Anatomy of the Attack
The attackers construct fabricated email threads that appear to depict another individual attempting unauthorized actions on the target’s LastPass account. These fabricated actions include exporting vault data, initiating a full account recovery process, or registering a new trusted device. The presentation of these apparent internal discussions aims to create an immediate sense of alarm, pressuring recipients to click on provided links and act swiftly to prevent supposed damage.
Once a user clicks on a link within the deceptive email, they are led to a meticulously crafted, fraudulent single sign-on (SSO) login page that closely mimics the official LastPass branding. This page is hosted at a domain like verify-lastpass[.]com, serving as the central hub for collecting stolen credentials. To evade detection, attackers further complicate matters by generating numerous variations of the URL with different trailing numbers, creating a vast array of unique-looking links that all point to the same phishing page. This tactic also aids in bypassing basic URL filtering mechanisms employed by email security gateways.
The compromised phishing pages are being served from IP addresses such as 172.67.200[.]82, 104.21.21[.]204, and 52.102.103[.]4. The moment a user enters their master password on these fake pages, the attackers capture it, granting them full access to the contents of the compromised LastPass vault.
Protecting Yourself from Phishing Attempts
All LastPass users are strongly advised to approach any unexpected email referencing account activity with a high degree of suspicion. LastPass has reiterated that its support team will never request a user’s master password via email or any other communication channel. Users who are uncertain about the authenticity of a purported LastPass-branded email should report it directly to [email protected] so that the security team can investigate.
The ongoing efforts by LastPass and its partners are focused on dismantling these malicious sites as rapidly as possible. However, the persistent nature of such phishing campaigns underscores the critical importance of user vigilance. Always scrutinize the full sender’s email address in any security-related communication, avoid clicking on links that claim account activity has been detected, and instead navigate directly to the official LastPass website by manually typing the URL into your browser. This proactive approach is essential in safeguarding credentials from falling into the wrong hands.