LastPass has warned users about an active phishing campaign impersonating the company in an attempt to steal master passwords.
First observed around 19 January 2026, the campaign uses emails claiming urgent infrastructure maintenance and pressures recipients to back up their password vaults within 24 hours. The sense of urgency is designed to trick users into clicking malicious links and entering their credentials on fake websites.
Indicators of Compromise (IoCs)
Phishing Sites (Initial Campaign):
-
group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf -
mail-lastpass[.]com
Email Senders Observed:
-
support@sr22vegas[.]com -
support@lastpass[.]server8 -
support@lastpass[.]server7 -
support@lastpass[.]server3
LastPass has reiterated that it will never ask for a master password or demand immediate action under tight deadlines. The company is working with partners to take down the malicious infrastructure and says there is currently no evidence that accounts have been compromised.
Update – 22 January 2026
A new wave of phishing emails has been detected using similar messaging but different URLs.
New Phishing Sites:
-
systems-resources.s3.eu-west-3.amazonaws[.]com/sSvLaIvIEm5iMal -
security-lastpass[.]com
Users are advised to avoid clicking links in unsolicited emails, verify messages via official LastPass channels, and report any suspicious activity.