LastPass Confirms Ongoing Phishing Campaign Targeting Master Passwords

Overview

• LastPass reports an active campaign that began on or around March 1, 2026 and continues to target its users.
• Attackers impersonate LastPass via display-name spoofing and urgent unauthorized-access alerts, a tactic that can fool mobile email clients that hide full sender addresses.
• Emails are styled as forwarded support threads with subjects such as "Re: pending approval" and link to fake login pages, including verify-lastpass[.]com, to harvest master passwords.
• LastPass published indicators of compromise detailing malicious URLs, IP addresses, sender addresses, and subject lines tied to the operation.
• The company is coordinating takedowns with Forta Brand Protection and hosting providers, and advises users to avoid clicking unsolicited links, never share a master password, and report suspect messages to abuse@lastpass.com.