LastPass warns users about phishing emails posing as vault backup requests

The company says attackers are using fake maintenance notices to trick customers into revealing credentials.

What happened

LastPass has warned customers about a phishing campaign that impersonates the company and urges users to create a password vault backup ahead of supposed system maintenance. According to SCWorld, the campaign began around January 19, 2026, and uses emails with subject lines that claim backups are required to prevent service disruption. The messages include a “Create Backup Now” button that redirects through an Amazon-hosted link before landing on a fake LastPass login page designed to steal master passwords. LastPass said it is working to take down the malicious domains and reminded users that it never asks for master passwords by email.

Going deeper

The phishing emails rely on urgency and familiarity to lower suspicion. Attackers reference routine maintenance and short response windows, a tactic often used during holiday periods when staffing may be reduced. The links embedded in the messages redirect users through cloud-hosted infrastructure before sending them to lookalike domains that closely mimic LastPass branding. Security teams identified multiple sender addresses and domains tied to the campaign, indicating coordinated activity rather than isolated attempts. If a user enters their master password, attackers could gain access to all credentials stored in the vault, making this type of phishing particularly damaging.

What was said

LastPass said its Threat Intelligence, Mitigation, and Escalation (TIME) team is tracking an active phishing campaign that impersonates LastPass by sending fraudulent emails claiming users must back up their password vaults ahead of purported maintenance. The company warned customers that “LastPass is NOT asking customers to back up their vaults in the next 24 hours; rather, this is an attempt on the part of a malicious actor to generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails.” LastPass says that it will never ask for your master password or require users to take urgent action via unsolicited email and urges recipients to forward suspicious messages to its abuse reporting address for investigation.

In the know

It’s not the first time attackers have leaned on password manager branding to run phishing campaigns. In October 2025, Paubox documented a similar wave of emails impersonating LastPass and Bitwarden breach alerts. Those messages warned users that their vaults had been compromised and instructed them to download urgent “security updates.” Instead of fixing anything, the files installed remote access tools that gave attackers control of the victim’s device. Both campaigns follow the same pattern. Real product features are referenced, the language feels routine rather than alarmist, and cloud-hosted links are used to add legitimacy.

The bottom line

The phishing campaign targeting LastPass users proves what security experts describe as “inherited trust” abuse, where attackers exploit the credibility of a well-known platform to make fraudulent messages appear legitimate. According to the top 3 healthcare email attacks in 2025 by Paubox, phishing-driven mailbox takeovers were the most damaging email-based attack last year, exposing more than 630,000 individuals. The report explains that modern phishing has become “deception at scale,” meaning attackers use automation and artificial intelligence to copy the tone, structure, and urgency of real professional emails, which helps explain why 88% of healthcare workers report having clicked on a phishing link at least once.

FAQs

Why do phishing campaigns target password manager users?

Access to a password vault can expose multiple accounts at once, making these users especially valuable targets.

How can users verify whether a LastPass email is legitimate?

They should avoid clicking embedded links, check announcements directly within their LastPass account, and confirm messages through the official website.

Why do attackers use holiday periods to launch campaigns?

Reduced staffing and slower response times can increase the chance that phishing emails go unnoticed or unreported.

What happens if a master password is compromised?

An attacker may gain access to all stored credentials, notes, and secure information contained in the vault.

What should users do if they interact with one of these emails?

They should immediately change their master password, review account activity, enable additional security protections, and contact LastPass support through official channels.