(Credit: Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images)
UPDATE 1/23: LastPass confirmed to PCMag that it has seen another wave of phishing emails sent to its customers since its original report on Tuesday, with similar email designs but different linking strategies to fool targets into sharing data with scammers.
It says the hackers are using the email address format support@lastpass. followed by a series of two to five different characters. You should also look out for URLs featured in emails from scammers, who use security-lastpass.com to trick customers.
LastPass reminds all users to ensure emails come from its legitimate addresses. It says its emails should come from five options, including @lastpass.com, @sendgrid.com, @m.lastpass.com, @t.lastpass.com, and @ar.lastpass.com. You can read more advice from the password manager here.
Original Story 1/20:
If you use LastPass as your password manager of choice, be on the lookout for an ongoing email scam aimed at gaining access to your vault of logins and personal information.
The password management company warned users that it has seen an influx of phishing emails sent out since Jan. 19. LastPass says it didn’t send any emails asking customers to backup their vaults in the next 24 hours.
The email has a clear call to action at the top telling customers to "Create Backup Now," which is hyperlinked with a fake address.
LastPass says that the link directs customers to a phishing site hosted at "group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf." It then redirects to a website called "mail-lastpass.com," which has no affiliation with the password manager.
The emails are sent under multiple subject lines, including “Protect Your Passwords: Backup Your Vault (24-Hour Window),” "LastPass Infrastructure Update: Secure Your Vault Now,” and “Don’t Miss Out: Backup Your Vault Before Maintenance.”
LastPass notes that scammers likely coordinated the campaign to begin on Martin Luther King Jr. Day in the US, in an attempt to take advantage of a holiday period when fewer staff members may be available to address scams.
The brand says it’s working with partners to have the fake domain taken down. It also says it will never ask you directly for your master password outside its own tools, urging caution when interacting with emails that appear to be from the password manager and ask a customer to take action.
In October last year, LastPass saw another phishing scam targeting post-death legacy features. The scammers aimed to trick customers into handing over details for a feature that grants emergency access to an account after a user has died.