LastPass has urged users to be vigilant about an email phishing campaign which is posing as the password manager application provider in attempt to steal master passwords to takeover accounts.
The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team issued the warning after they became aware of an active phishing campaign which started on January 19.
The phoney emails claim to be from LastPass and warn users that they need to take urgent action by clicking the link in the message within 24 hours to backup their password vaults ahead of planned maintenance.
This link is malicious and redirects users to fake LastPass login screen. If the user enters their username and password, they unwittingly provide the attackers with the master password for their LastPass account.
As a password manager tool, this means that the victim doesn’t just have their LastPass password stolen, but it’s likely that the login credentials for any accounts they use the application for will also be compromised.
Figures from the company suggest that LastPass has 33 million users and over 100,000 business customers.
LastPass described the impersonation campaign as “circulating widely” and has urged users to be vigilant, especially given the 24-hour warning is designed to spook people into clicking on the malicious link.
Subject lines used in this LastPass phishing campaign include:
- LastPass Infrastructure Update: Secure Your Vault Now
- Your Data, Your Protection: Create a Backup Before Maintenance
- Don't Miss Out: Backup Your Vault Before Maintenance
- Important: LastPass Maintenance & Your Vault Security
- Protect Your Passwords: Backup Your Vault (24-Hour Window)
In a statement, LastPass said it was actively working with third-party partners to have the domain that is sending these emails taken down as soon as possible.
“This campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics we see in phishing attacks,” said the LastPass TIME team.
“We want customers and the broader security community to be aware that LastPass will never ask for their master password or demand immediate action under a tight deadline. We thank our customers for staying vigilant and continuing to report suspicious activity.”
LastPass and other password managers are regularly targeted by cybercriminals as they look for the most effective way to steal login credentials.
Hackers have also targeted LastPass itself. A cyber-attack in 2022 saw attackers steal parts of LastPass source code, along with proprietary technical information.
Last year, the company was issued with a fine of £1.2m ($1.6m) by the UK’s data protection watchdog. The Information Commissioner’s Office said that LastPass failed its customers by not putting sufficiently robust technical and security measures in place.
Image credit: T. Schneider / Shutterstock.com