LastPass has alerted users about an active phishing campaign impersonating the popular password management service, aiming to steal users’ master passwords through fake maintenance notifications.
The campaign, first detected around January 19, 2026, involves emails claiming that urgent maintenance is required and instructing users to back up their vaults within 24 hours. Some of the phishing email subject lines include:
- LastPass Infrastructure Update: Secure Your Vault Now
- Your Data, Your Protection: Create a Backup Before Maintenance
- Don’t Miss Out: Backup Your Vault Before Maintenance
- Important: LastPass Maintenance & Your Vault Security
- Protect Your Passwords: Backup Your Vault (24-Hour Window)
How the Attack Works
The fraudulent emails direct victims to phishing sites hosted on platforms such as:
group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf- Redirecting further to
mail-lastpass[.]com
According to LastPass, the company will never ask for users’ master passwords or request urgent action within a tight deadline. The firm is actively collaborating with third-party partners to take down the malicious infrastructure. Known email senders used in the campaign include:
support@sr22vegas[.]comsupport@lastpass[.]server8support@lastpass[.]server7support@lastpass[.]server3
A spokesperson from LastPass’ Threat Intelligence, Mitigation, and Escalation (TIME) team emphasized that cybercriminals often exploit urgency to trick victims, a hallmark of phishing attacks.
Ongoing Threats and Updated Indicators
As of January 22, 2026, attackers resumed their phishing activity using new URLs after the initial infrastructure was taken down. Updated indicators include:
Phishing sites:
systems-resources.s3.eu-west-3.amazonaws[.]com/sSvLaIvIEm5iMalsecurity-lastpass[.]com
Subject lines observed in the new campaign:
- LastPass Server Maintenance: Backup Recommended
- LastPass Maintenance Scheduled: Here’s What You Need to Do
- Critical: Please Backup Your LastPass Vault Before Maintenance
- LastPass Infrastructure Update: Secure Your Vault Now
- LastPass Maintenance: Secure Your Data Today
- Important: LastPass Maintenance & Your Vault Security
LastPass has not disclosed how many users may have received these phishing emails, and there is currently no evidence of account compromise. However, the campaign is consistent with tactics used by organized cybercriminal groups targeting a broad user base.
Previous Campaigns
This development follows previous warnings from LastPass regarding malware campaigns targeting macOS users through fake GitHub repositories masquerading as the password manager. Those campaigns aimed to distribute malware-laced programs while impersonating legitimate software.
