LastPass said in a blog post that a phishing campaign began on or around January 19 2026 sending emails that claim imminent maintenance and urge users to create a local backup of their password vaults within a 24 hour window.
KEY FACTS
- Incident Phishing emails impersonating the password manager
- Start date On or around January 19 2026
- Lure Claims of maintenance and a 24 hour backup window
- Redirects Attack flow begins at an S3 URL and routes to a malicious domain
- Sender addresses Multiple spoofed support addresses used
The messages present maintenance and backup subject lines designed to create urgency and prompt immediate action. Subject examples in the advisory describe maintenance and vault protection prompts rather than technical details about the service.
Recipients are steered to a staging URL on Amazon S3 that then redirects to a domain used in the campaign. A VirusTotal domain report mail-lastpass.com domain report corresponds to the domain referenced in the advisory.
The advisory lists originating email addresses that include support@sr22vegas[.]com and several malformed support addresses that mimic service hosts. The messages ask recipients to create local backups and to enter credentials that would expose master passwords.
The advisory warns the vendor will never ask for master passwords and notes work is under way with third parties to remove the malicious infrastructure. Users are encouraged to remain vigilant and report suspicious messages to the vendor.
WHY IT MATTERS
Phishing that imitates a password manager can capture master passwords and allow attackers to unlock large numbers of stored credentials. Users should not provide master passwords or follow links in unexpected messages and should report suspected phishing to the vendor.