LastPass is notifying customers about an active phishing campaign masquerading as the password manager, attempting to harvest users’ master passwords.

According to LastPass, the activity started on or around January 19, 2026, and relies on phishing emails that reference scheduled maintenance and pressure recipients to create a local backup of their password vaults within 24 hours. The messages observed by LastPass use the following subjects –

• LastPass Infrastructure Update: Secure Your Vault Now
• Your Data, Your Protection: Create a Backup Before Maintenance
• Don’t Miss Out: Backup Your Vault Before Maintenance
• Important: LastPass Maintenance & Your Vault Security
• Protect Your Passwords: Backup Your Vault (24-Hour Window)

The phishing emails attempt to drive targets to the URL “group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf”, which then forwards to the domain “mail-lastpass[.]com.”

LastPass has reiterated that it does not request master passwords under any circumstances and noted that it is coordinating with external partners to dismantle the malicious infrastructure. The company has also published the sending addresses linked to this campaign –

• support@sr22vegas[.]com
• support@lastpass[.]server8
• support@lastpass[.]server7
• support@lastpass[.]server3

“This campaign is intended to manufacture a sense of urgency, which remains one of the most common and successful patterns we see in phishing operations,” a spokesperson for the Threat Intelligence, Mitigation, and Escalation (TIME) team at LastPass told The Hacker News.

“We want customers and the wider security community to understand that LastPass will never request their master password or insist on immediate action with strict time limits. We appreciate customers who remain alert and continue to report suspicious activity.”

This activity follows a previous incident in which LastPass warned users about an information-stealing campaign targeting Apple macOS users via fraudulent GitHub repositories that delivered malware-laced applications posing as the password manager and other widely used software.

If this content is useful for your security monitoring program, you can also follow us on Google News, Twitter and LinkedIn for more coverage relevant to defenders.