WASHINGTON, January 23, 2024 – LastPass users are facing a new phishing attempt designed to exploit their security fears, the password manager warned Tuesday. The campaign falsely claims LastPass is undergoing maintenance and urges customers to back up their vaults within 24 hours.
Phishing Attack Leverages False Urgency
A new phishing campaign is targeting LastPass customers with a fabricated maintenance notice.
The campaign began on or around Monday, Martin Luther King Jr. Day, when many U.S. businesses were closed, potentially reducing the speed of security responses. LastPass confirmed the email is not a legitimate request and is part of a social engineering attack. “this campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics we see in phishing attacks,” a spokesperson for LastPass said in a statement.
LastPass emphasized that it would never ask customers for their master passwords or demand immediate action. The security alert released by the company includes images of the fraudulent backup request, along with details of malicious urls, header details, IP addresses, and the deceptive subject lines used in the campaign.
Holiday Weekends: Prime Time for Phishing
Targeting users during holiday weekends is a common tactic for cybercriminals. Reduced staffing levels frequently enough mean slower response times for security teams, giving attackers a window of opportunity.This latest attempt highlights the ongoing need for vigilance, even among users of established security tools.
LastPass, a widely used password manager, provides a secure environment for both individual and corporate customers to protect their passwords. The company previously overhauled its internal security practices after a 2022 breach where threat actors targeted the company’s source code.As part of that overhaul, the parent company brought in a new chief information security officer.
While LastPass has not disclosed the number of customers impacted by this specific phishing campaign, nor identified the attackers, a spokesperson confirmed that multiple email addresses were being used to target users. The company is working with third-party partners to take down the malicious domain as quickly as possible.
The phishing campaign, which began around January 15, 2024, aimed to exploit LastPass users by falsely claiming urgent maintenance requiring immediate vault backups. The attackers leveraged the holiday weekend to their advantage, anticipating slower security responses. LastPass responded by issuing a security alert, providing details of the fraudulent emails, and collaborating with partners to dismantle the malicious infrastructure. As of Tuesday, January 23, 2024, the company continues to work to mitigate the threat and has not yet persistent the full scope of the impact.
- LastPass is warning users about a phishing campaign falsely claiming a maintenance requirement.
- The attack leverages a sense of urgency, asking users to back up their vaults immediately.
- LastPass will never request a master password or demand immediate action.
