- LastPass phishing campaign tricks victims into taking their master passwords
- Fake maintenance email warns users to backup their vaults urgently
- “No one at LastPass will ever ask you for your master password”
LastPass has issued a warning about a new phishing campaign that seeks to trick users into handing over their master passwords and with that, potentially all of their passwords, 2FA codes, payment details, and more.
A fake email warning about “scheduled maintenance” encourages users to backup their password manager vaults within 24 hours, only to steal their credentials.
This false sense of urgency is one of the most common ways to trip up victims into sharing credentials, forcing them to pass some basic checks that would highlight dubious activity.
LastPass users warned about January 2026 phishing campaign
“Please note that LastPass does NOT ask customers to back up their vaults in the next 24 hours,” the company emphasized. “Remember that no one at LastPass will ever ask you for your master password.”
A genuine-looking email template covers all the essential elements: an assumed commitment to security, instructions on how to perform the backup, and contact methods for further questions.
However, there are some quick actions that users can take before falling victim. For example, campaign sender addresses include support@sr22vegas.[.]es, support@lastpass[.]server8, support@lastpass[.]server7 and support@lastpass[.]server3.
LastPass promises to work with third-party partners to remove the domains it identifies and encourages users to report suspicious emails to [email protected].
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
