Popular password management service, LastPass, has issued an alert after customers were targeted in a phishing campaign designed to steal account credentials using fake maintenance warnings.
The campaign began around 19 January and involves emails falsely claiming that LastPass is about to carry out system maintenance. Recipients are urged to back up their password vaults within 24 hours, a tactic intended to create urgency and prompt rushed action.
LastPass said the emails use multiple sender addresses and subject lines such as “LastPass Infrastructure Update: Secure Your Vault Now”. Links in the messages lead to a convincing fake website, initially hosted via an Amazon S3 bucket, before redirecting users to a spoofed LastPass login page designed to capture master passwords.
The company stressed it will never ask users to back up vaults or share master passwords by email. The timing of the campaign over a US holiday weekend suggests attackers were attempting to delay detection and extend the lifespan of the scam.
For businesses and other users, the alert is a reminder to be wary of urgent security emails, avoid clicking embedded links, and access LastPass only through its official website or app.