Identity, IAM Technologies, Ransomware, Phishing, Threat Management, Threat Intelligence

LastPass warns of vault backup phishing emails

(Credit: Bilal Ulker – stock.adobe.com)

(Credit: Bilal Ulker – stock.adobe.com)

LastPass warned its customers of phishing emails impersonating the company, luring users to malicious sites under the guise creating a vault backup.

The LastPass phishing campaign began around Jan. 19, 2026, during the Martin Luther King Jr. Day holiday when United States organizations are more likely to have reduced staff, the company noted.

The emails, with subject lines such as “Don’t Miss Out: Backup Your Vault Before Maintenance” and “Protect Your Passwords: Backup Your Vault (24-Hour Window),” claim LastPass will be undergoing maintenance and urge users to back up their password vaults to ensure “uninterrupted access” to credentials.

The link included in the email, labeled “Create Backup Now,” leads to the URL “group-content-gen2[.]s3[.]eu-west-3[.]amazonaws[.]com/5yaVgx51ZzGf,” which then redirects to a phishing site impersonating LastPass at “mail-lastpass[.]com.”

The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team said it was working to have the domain taken down and reminded customers that LastPass staff will never ask them for their master password.

Related reading:

“If attackers collect this, they could gain access to virtually every login and secret stored in the vault. Attacks such as this can be very successful due to the use of legitimate branding, look-a-like domains, having a task with a time limit, and exploiting what could be a real feature in the request to backup data,” Chance Caldwell, senior director of the Phishing Defense Center at Cofense, told SC Media in an email.

LastPass published a full list of known subject lines, domains, IP addresses and email addresses associated with the campaign. Email addresses the phishing messages were sent from include support@sr22vegas[.]com and support@lastpass[.]server8.

The company urged customers to submit any suspicious LastPass-branded emails to [email protected], thanking customers who already reported the current campaign.

LastPass has been impersonated in previous phishing campaigns, including multiple campaigns by the CryptoChameleon phishing group in 2024 and 2025.

In April 2024, LastPass warned that CryptoChameleon’s phishing kit was being used in attacks that began with a phone call from an 888 number and then proceeded to emails containing phishing links.

In October 2025, LastPass revealed that CryptoChameleon was attempting to trick customers with fake legacy requests — request by family members of deceased users to gain access to their password vaults by uploading a death certificate. When a user clicked a link to indicate they were not dead, they would be directed to a fake LastPass website aiming to steal their master password.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingChallenge-Handshake Authentication Protocol (CHAP)Covert ChannelsDarknetData MiningDeepfakeDefacementDenial of ServiceDigital CertificatePassword Authentication Protocol (PAP)

You can skip this ad in 5 seconds