New Phishing Campaign Targeting LastPass Customers
Summary:
LastPass has warned users about an active phishing campaign that began around January 19, 2026, in which attackers impersonate the password management service to steal users’ master passwords. The campaign uses convincing emails that claim that LastPass is about to conduct maintenance, urging recipients to create a local backup of their password vaults within 24 hours. The messages come with the following subject lines:
Security Officer Comments:
As seen in the subject lines of the emails, these messages aim to create a sense of urgency, urging users to click on a malicious link under the pretext of creating backups to not risk losing data during the “maintenance.” The use of an Amazon S3 URL is designed to reduce suspicion before redirecting victims to the fraudulent domain impersonating LastPass. Although these domains may look fairly similar to legitimate LastPass infrastructure, subtle discrepancies in the URL and the unexpected request for master credentials are key indicators of phishing.
Suggested Corrections:
LastPass says it will never ask for your master password and that it is working with third-party partners to take the malicious infrastructure down.
Below is a list of Malicious URLs and IPs associated with the latest campaign:
From:
https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers
LastPass has warned users about an active phishing campaign that began around January 19, 2026, in which attackers impersonate the password management service to steal users’ master passwords. The campaign uses convincing emails that claim that LastPass is about to conduct maintenance, urging recipients to create a local backup of their password vaults within 24 hours. The messages come with the following subject lines:
- LastPass Infrastructure Update: Secure Your Vault Now
- Your Data, Your Protection: Create a Backup Before Maintenance
- Don't Miss Out: Backup Your Vault Before Maintenance
- Important: LastPass Maintenance & Your Vault Security
- Protect Your Passwords: Backup Your Vault (24-Hour Window)
Security Officer Comments:
As seen in the subject lines of the emails, these messages aim to create a sense of urgency, urging users to click on a malicious link under the pretext of creating backups to not risk losing data during the “maintenance.” The use of an Amazon S3 URL is designed to reduce suspicion before redirecting victims to the fraudulent domain impersonating LastPass. Although these domains may look fairly similar to legitimate LastPass infrastructure, subtle discrepancies in the URL and the unexpected request for master credentials are key indicators of phishing.
Suggested Corrections:
LastPass says it will never ask for your master password and that it is working with third-party partners to take the malicious infrastructure down.
Below is a list of Malicious URLs and IPs associated with the latest campaign:
- “group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf”
- Serving IP address at time of publication: 52.95.155[.]90
- “mail-lastpass[.]com”
- Associated IP addresses at time of publication:
- 104[.]21[.]86[.]78
- 172[.]67[.]216[.]232
- 188[.]114.97[.]3
- Associated IP addresses at time of publication:
From:
- support@sr22vegas[.]com
- support@lastpass[.]server8
- support@lastpass[.]server7
- support@lastpass[.]server3
- 192[.]168[.]16[.]19
- 172[.]23[.]182[.]202
https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers