LASTPASS has warned users about a new phishing campaign using fake security alerts that claim unauthorised access or master password changes to steal users’ master passwords. The emails, which spoof LastPass’s display name, are sent from multiple addresses and are designed to resemble forwarded internal messages about account access to deceive recipients, beginning around 1 March 2026.
According to LastPass, attackers forward fake email threads to make it look as though someone is attempting to export a vault, recover an account, or register a new device, with display-name impersonation designed to hide the true sender. The links in the messages lead to a fake SSO page at verify-lastpass[.]com to harvest credentials, and many email clients only show the display name, which facilitates the spoofing.
LastPass also reminded customers that it will never ask for their master password and is working with partners to take down the phishing sites; it provides IoCs including the malicious URLs and related IP addresses.