UPDATE 1/23: LastPass confirmed to PCMag that it has seen another wave of phishing emails sent to its customers since its original report on Tuesday, with similar email designs but different linking strategies to fool targets into sharing data with scammers.
It says the hackers are using the email address format support@lastpass. followed by a series of two to five different characters. You should also look out for URLs featured in emails from scammers, who use security-lastpass.com to trick customers.
LastPass reminds all users to ensure emails come from its legitimate addresses. It says its emails should come from five options, including @lastpass.com, @sendgrid.com, @m.lastpass.com, @t.lastpass.com, and @ar.lastpass.com. You can read more advice from the password manager here.
Original Story 1/20:
If you use LastPass as your password manager of choice, be on the lookout for an ongoing email scam aimed at gaining access to your vault of logins and personal information.
The password management company warned users that it has seen an influx of phishing emails sent out since Jan. 19. LastPass says it didn’t send any emails asking customers to backup their vaults in the next 24 hours.
The email has a clear call to action at the top telling customers to “Create Backup Now,” which is hyperlinked with a fake address.
LastPass says that the link directs customers to a phishing site hosted at “group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf.” It then redirects to a website called “mail-lastpass.com,” which has no affiliation with the password manager.
The emails are sent under multiple subject lines, including “Protect Your Passwords: Backup Your Vault (24-Hour Window),” “LastPass Infrastructure Update: Secure Your Vault Now,” and “Don’t Miss Out: Backup Your Vault Before Maintenance.”
Recommended by Our Editors
LastPass notes that scammers likely coordinated the campaign to begin on Martin Luther King Jr. Day in the US, in an attempt to take advantage of a holiday period when fewer staff members may be available to address scams.
The brand says it’s working with partners to have the fake domain taken down. It also says it will never ask you directly for your master password outside its own tools, urging caution when interacting with emails that appear to be from the password manager and ask a customer to take action.
In October last year, LastPass saw another phishing scam targeting post-death legacy features. The scammers aimed to trick customers into handing over details for a feature that grants emergency access to an account after a user has died.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Experience
I’ve been a journalist for over a decade after getting my start in tech reporting back in 2013. I joined PCMag in 2025, where I cover the latest developments across the tech sphere, writing about the gadgets and services you use every day. Be sure to send me any tips you think PCMag would be interested in.
Read Full Bio
