Pierluigi Paganini
March 04, 2026
LastPass has warned users about a new phishing campaign using fake security alerts that claim unauthorized access or master password changes. The emails, which spoof LastPass’s display name, attempt to trick recipients into revealing their master password and compromising their accounts.
LastPass TIME team has alerted customers about an active phishing campaign that began around March 1, 2026. The emails, sent from multiple addresses with varying subject lines, are designed to look like forwarded internal messages about unauthorized account access in order to deceive recipients.
LastPass warned that attackers are forwarding fake email threads to make it seem someone is trying to export a vault, recover an account, or register a new device.
Using display name spoofing, they impersonate LastPass while hiding unrelated sender addresses. The emails urge users to click links that lead to a fake SSO page at verify-lastpass[.]com to steal credentials.
“The attacker relies on the fact that many email clients (especially mobile) show only the display name, hiding the real sender address unless you expand it.” reads the alert published by LastPass. “The emails instruct targets to take some type of action (i.e., report suspicious activity, disconnect and lock vault, revoke device, etc.) if something looks off via provided links; these links then direct targets to fake SSO login pages via https[:]//verify-lastpass[.]com as the primary URL to collect users’ credentials (see below).”
LastPass reminds users it will never ask for their master password and is working with partners to take down the phishing sites. Customers are urged to stay cautious and report suspicious LastPass-branded emails to [email protected] to help protect the community.
The advisory provides indicators of compromise (IoCs), including the malicious URLs and related IP addresses.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, phishing)
