by Tim Leogrande, BSIT, MSCP, Ed.S.

24 JAN 2026 • 2 MIN READ

Users of the password management application LastPass are being targeted by a sophisticated phishing campaign via emails that began hitting subscriber inboxes on January 19th, during the Martin Luther King Jr. holiday weekend. This timing makes sense because cybercriminals often launch attacks during holidays, when IT and security teams are most likely to be short-staffed.

The messages are sent from addresses which appear to be legitimate, like [email protected], and they urge users to click an embedded link to backup their data. Clicking the link loads a web page where users are prompted to enter their LastPass login credentials, potentially granting the attackers access to their entire password vault.

Some of the email subject lines used so far include:

• LastPass Infrastructure Update: Secure Your Vault Now
• Your Data, Your Protection: Create a Backup Before Maintenance
• Don't Miss Out: Backup Your Vault Before Maintenance
• Important: LastPass Maintenance & Your Vault Security
• Protect Your Passwords: Backup Your Vault (24-Hour Window)

Subscribers should be vigilant about emails which claim to be from LastPass and look out for phishing lures like, “Your account will be locked/suspended in 24 hours.” Users should also keep in mind that LastPass will never request their master password outside of the login screen of the app itself, and to forward any suspicious emails to [email protected].

LastPass offers multi-factor authentication features like compatibility with hardware keys and authenticator apps, biometric verification, and contextual (e.g., location-based) authentication for customers who wish to further secure their password vaults. These tools can be an essential part of preventing threat actors from exploiting a user’s stolen login credentials.

A LastPass vault, which lists some of the websites and applications for which a username and password are stored. (©2026 LastPass)

LastPass launched in 2008 and leaned hard into the browser extension plus cloud sync model, which made it feel effortless compared to older “local vault” tools. This helped it become the most popular standalone password manager.

<aside> 💡

During the past few years, threat actors have enjoyed an advantage when creating convincing phishing emails due to large language models (LLMs). Thanks to LLM-powered text and code editors, cybercriminals can often generate grammatically flawless phishing emails and sophisticated HTML tools.

</aside>

According to LastPass, there is currently no indication that any accounts have been compromised, even though the company is unsure how many of its over 30 million subscribers have been targeted during this campaign.

Notwithstanding, using a password manager is widely regarded as a best-practice by information security professionals. When correctly used and maintained, these applications can relieve the burden of memorizing passwords, discourage the use of weak passwords which are easily cracked, and eliminate the need to store passwords using insecure methods like note-taking apps or physical Post-it notes.