They Already Have Your Vault: Inside the Sustained Phishing War on LastPass Users

When LastPass's Threat Intelligence, Mitigation, and Escalation (TIME) team published a security advisory on March 1, 2026, warning customers of another active phishing campaign, it was at least the fourth such warning since October 2025. For many security professionals watching this story develop, the pattern is no longer surprising. It is, however, alarming in ways that most mainstream coverage has not fully captured.

The LastPass situation is not just a company having a bad year. It is a case study in inherited trust abuse, cascading breach consequences, and the structural vulnerability of concentrating all of a user's secrets behind a single credential. Understanding it fully requires going back further than the latest phishing email. It requires understanding what was stolen in 2022, what attackers have been doing with it ever since, and how the current wave of social engineering attacks represents a logical, patient, and well-resourced continuation of that original compromise.

The Breach That Keeps Giving: A 2022 Recap

To understand why LastPass users are being targeted so aggressively right now, you first need to understand what happened in 2022 and why its consequences are still unfolding more than three years later.

The attack unfolded in two distinct phases. In August 2022, a threat actor compromised a LastPass software developer's corporate laptop and used that access to reach a cloud-based development environment. From there, they exfiltrated 14 of approximately 200 source code repositories along with internal technical documentation and embedded credentials. LastPass declared the incident contained in September 2022. It was not.

Using information gathered in that first intrusion, the same threat actor then compromised a senior DevOps engineer's personal home computer. The entry point was a vulnerability in a third-party media software package the engineer was running on the same machine. Once inside, the attacker deployed a keylogger and waited. They captured the engineer's master password as it was entered, bypassed multifactor authentication using the captured session, and gained access to LastPass's shared cloud backup storage. The data accessed in that second phase included system configuration data, API secrets, third-party integration secrets, and both encrypted and unencrypted customer data — including backups of customer vault data.

"This is about as bad as it gets." — Chester Wisniewski, Field CTO of Applied Research, Sophos, December 2022

What made the vault data theft particularly dangerous is a detail that was initially glossed over in coverage. While the vault contents themselves — usernames, passwords, secure notes — were encrypted, the metadata stored alongside them was not. Website URLs associated with stored credentials were exposed in plaintext. An attacker who later cracked a user's master password would not be entering blind. They would already know exactly which sites and services that user had credentials for, enabling precise, targeted follow-on attacks.

The breach prompted a class-action lawsuit that received preliminary court approval for a $24.45 million settlement on February 2, 2026, with $16.25 million of that amount set aside specifically for documented cryptocurrency-related losses and $8.2 million for general class member claims. That settlement figure tells only part of the story. According to reporting by security journalist Brian Krebs and subsequent confirmation from federal investigators, attackers have been systematically cracking weak master passwords from the stolen vault data and using the recovered credentials to drain cryptocurrency wallets. The $150 million heist against Ripple co-founder Chris Larsen — 283 million XRP, first publicly confirmed by Larsen on January 31, 2024 — was federally confirmed: a forfeiture complaint filed by U.S. prosecutors in northern California on March 6, 2025 and publicly disclosed the following day stated that law enforcement "believe the cryptocurrency stolen from Victim 1 was committed by the same attackers who conducted the attack on the online password manager." (The complaint does not name LastPass by name, but the described incident matches LastPass's disclosed 2022 breach timeline precisely.) Separately, TRM Labs traced over $35 million in theft from 2024 through September 2025 — specifically $28 million laundered through Wasabi Wallet in late 2024 and early 2025, with a further $7 million linked to a September 2025 wave — with funds off-ramped through Russian-linked exchanges including OFAC-sanctioned Cryptex and Audi6. ZachXBT separately documented $12.38 million stolen in a two-day window on December 16–17, 2024. By mid-2025, the Security Alliance (SEAL), a cybersecurity research group focused on the crypto market, estimated total losses attributable to the LastPass breach at over $438 million — a figure researchers emphasize represents only documented and traceable losses, with the true total likely significantly higher.

The attackers behind the vault cracking have not stopped. They continue working through the stolen data methodically, prioritizing vaults where users stored cryptocurrency seed phrases in the Secure Notes feature. Every vault cracked is a potential jackpot. That persistent financial motivation is directly connected to the phishing campaigns happening today.

The Attack Chain: Four Campaigns, One Goal

The phishing campaigns targeting LastPass users since late 2025 share a common objective that is different from what many users assume. The goal is not necessarily to compromise a LastPass account in the traditional sense. The goal is to obtain the master password — the one key that unlocks the stolen vault data sitting in the attacker's possession since 2022.

That framing changes the threat model entirely. Users who think they are safe because they have changed their LastPass password since 2022 may still be vulnerable if their vault backup was captured before the change. Users who have moved to a different password manager may not realize their old vault data is still sitting somewhere, potentially being worked on. And users who continue to use LastPass with a weak or reused master password are facing a two-front attack: offline cracking of the vault they may not know was stolen, and live phishing campaigns fishing for their current credentials.

October 2025: Two Waves in the Same Month

The sustained campaign against LastPass users actually began with two distinct waves in October 2025, not one — a detail that most coverage has collapsed into a single event.

The first wave, identified on October 13, 2025, used a particularly cruel form of manipulation. Emails sent from addresses like hello@lastpasspulse[.]blog and hello@lastpassgazette[.]blog warned users that LastPass had been hacked and instructed them to download a new desktop application immediately to secure their vault. The subject lines read: "We Have Been Hacked — Update Your LastPass Desktop App to Maintain Vault Security."

No breach had occurred. The emails directed users to domains including lastpassdesktop[.]com and lastpassgazette[.]blog, both hosted on bulletproof infrastructure provided by NICENIC, a hosting provider with a documented history of facilitating cybercriminal operations. Phishing pages at those domains mimicked authentic LastPass branding and prompted users to enter credentials under the guise of a security update. The threat actor also registered lastpassdesktop[.]app, which LastPass assessed was likely reserved for future waves of the same campaign. The timing — a U.S. holiday weekend — was deliberate. Attackers frequently launch campaigns during periods of reduced staffing, gambling on slower detection and response times from security teams.

The second October wave, identified in mid-October 2025 and later attributed by Google Threat Intelligence to the cybercriminal group CryptoChameleon (also known as UNC5356), took a darker angle. Emails spoofed to appear from alerts@lastpass[.]com with the subject line "Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED)" claimed that a family member had submitted a death certificate to gain access to the recipient's vault as a legacy user. The emails included fabricated case numbers, agent IDs, and case priority designations — all false. Recipients who clicked the "cancel" link were directed to lastpassrecovery[.]com, a credential harvesting page requesting their master password.

What made this campaign notable beyond its disturbing pretext: attackers also called recipients directly by phone, claiming to be LastPass representatives and urging them to visit the phishing site. Importantly, this campaign extended its targeting beyond master passwords — the phishing infrastructure included domains such as mypasskey[.]info and passkeysetup[.]com, designed to harvest passkey credentials (FIDO2/WebAuthn-based authentication). This is a significant and underreported detail: it signals that cybercriminals are now actively adapting their toolkits to target the newer, passwordless authentication standards increasingly adopted by password managers. CryptoChameleon is associated with targeting cryptocurrency exchanges and users, and had previously incorporated LastPass into a phishing kit in April 2024. LastPass confirmed the phishing infrastructure for this campaign also used NICENIC as bulletproof hosting and noted behavioral consistency with prior CryptoChameleon operations.

"Please remember that no one at LastPass will ever ask for your master password. If you receive a suspicious phone call claiming to be from LastPass, simply hang up." — LastPass TIME Team advisory, October 2025

January 2026: The Fake Maintenance Scare (Third Campaign)

The second major campaign launched on or around January 19, 2026 — again, a holiday weekend, this time Martin Luther King Jr. Day in the United States. This iteration shifted the pretext from a fake breach alert to a fake maintenance window.

Phishing emails arrived with subject lines that included "LastPass Infrastructure Update: Secure Your Vault Now," "Your Data, Your Protection: Create a Backup Before Maintenance," and "Protect Your Passwords: Backup Your Vault (24-Hour Window)." The emails created a 24-hour countdown, pressuring recipients to click a "Create Backup Now" button before a fictional deadline. The link redirected through an Amazon S3 hosted URL before landing on the domain mail-lastpass[.]com, a convincing lookalike designed to harvest master passwords.

"This campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics we see in phishing attacks. LastPass will never ask for your master password or demand immediate action under a tight deadline." — LastPass TIME Team statement to The Hacker News, January 2026

When LastPass and its partners began taking down the initial phishing infrastructure, the attackers adapted quickly. A second wave launched days later with the same email body but updated URLs, demonstrating coordinated, resourced operation rather than opportunistic activity. Separately, some recipients also received follow-up phone calls from attackers claiming to be LastPass representatives — a vishing component designed to increase pressure on targets who had not yet clicked the email link.

March 2026: The Fake Email Chain (Fourth Campaign)

The fourth campaign, which began on or around March 1, 2026 — with the TIME team publishing its advisory on March 3, 2026 — represents the most technically sophisticated iteration yet. Rather than a simple spoofed notification, attackers constructed entire fake email chains designed to appear as forwarded internal correspondence.

The emails present as forwarded threads between a LastPass support agent and another party, discussing supposed unauthorized actions taken on the recipient's account — exporting vault contents, initiating full account recovery, or registering a new trusted device. The implication is that someone is actively trying to take over the account right now. The call to action comes embedded in these threads: links labeled "report suspicious activity," "disconnect and lock vault," or "revoke device."

All roads lead to the same destination: a fake Single Sign-On (SSO) login page hosted primarily at verify-lastpass[.]com. Attackers generated many variants of this domain by appending different trailing numbers, producing a large pool of URLs that all resolve to the same credential harvesting page. The phishing pages were served from IP addresses including 172.67.200[.]82, 104.21.21[.]204, and 52.102.103[.]4. The actual sending addresses — which users would see only by expanding the sender field — originated from compromised domains entirely unrelated to LastPass, including hancochem[.]at, salud5i[.]cl, remstal-praxis[.]de, and kreducationsa[.]com. Subject lines observed in this campaign include "Re: the details," "Re: pending approval," "Re: Access request pending," "Re: FYI," "RE: sign-in — TRZ-2302300," "Fwd: Re: your request," and "Re: credential download."

The Technique Powering All Four: Display Name Spoofing

Running through all four campaigns is a single technical enabler that is worth understanding in depth, because it is not exclusive to LastPass attacks. Display name spoofing is one of the simplest and most effective phishing techniques in active use today, and it works because of a fundamental tension in how email clients present information.

Every email has two components relevant here: the display name (the human-readable name shown in your inbox) and the actual sending address (the technical address used for delivery). The Simple Mail Transfer Protocol — SMTP, the underlying standard that routes email — does not require these two things to match. Because of this, anyone can set a display name to read "LastPass Support" while sending from an address like noreply@randomcompromisedsite[.]net.

On a desktop email client, an observant user who hovers over or clicks on the sender name will typically see the full address. On a mobile client, where screen space is constrained and interfaces prioritize readability over detail, the default view in many apps shows only the display name. The full address is hidden behind an additional tap that most users never make.

"The attacker relies on the fact that many email clients (especially mobile) show only the display name, hiding the real sender address unless you expand it." — LastPass TIME Team advisory, March 2026

This technique is particularly effective because it bypasses many traditional spam and phishing filters. Filters look for known malicious domains, suspicious links, and header anomalies. An email sent from a legitimate-looking free email address with a spoofed display name often clears these checks. The sending address is technically valid. The domain may not appear on any blocklist. The content may be well-written, particularly as generative AI tools increasingly assist attackers in producing grammatically correct, contextually appropriate phishing text.

In the LastPass March 2026 campaign specifically, attackers took additional steps to increase credibility. Sender addresses were drawn from compromised websites and abandoned domains to further obscure the trail. The fake email threads included realistic timestamps and conversational formatting designed to look like authentic support exchanges. The subject lines mimicked internal routing codes rather than aggressive marketing language, avoiding the hallmarks that users have been trained to recognize.

# Indicators of Compromise — All Four Campaigns (Oct 2025–Mar 2026)
# Sources: LastPass TIME Team advisories; Google Threat Intelligence; BleepingComputer; CyberInsider

MARCH 2026 CAMPAIGN (4th wave):
  PRIMARY PHISHING DOMAIN: verify-lastpass[.]com (+ numbered variants)
  PHISHING PAGE IPs: 172.67.200[.]82 / 104.21.21[.]204 / 52.102.103[.]4
  REDIRECT INFRASTRUCTURE: SendGrid tracking domains; redlakegold[.]ca;
    bedfordmetals[.]com; atomicminerals[.]ca; 79resources[.]com
  SENDING ADDRESSES (partial list): office@hancochem[.]at /
    support@yodhafinance[.]com / info@itpbusa[.]com /
    salud5i[.]cl / remstal-praxis[.]de / kreducationsa[.]com
  SPOOFED DISPLAY NAME: "LastPass Support"
  SUBJECT LINES: "Re: the details" / "Re: pending approval" /
    "Re: Access request pending" / "Re: FYI" /
    "RE: sign-in — TRZ-2302300" / "Fwd: Re: your request" /
    "Re: credential download"

JANUARY 2026 CAMPAIGN (3rd wave):
  PRIMARY DOMAIN: mail-lastpass[.]com
  REDIRECT HOP: group-content-gen2.s3.eu-west-3.amazonaws[.]com
  SUBJECT LINES: "LastPass Infrastructure Update: Secure Your Vault Now" /
    "Your Data, Your Protection: Create a Backup Before Maintenance" /
    "Protect Your Passwords: Backup Your Vault (24-Hour Window)"
  NOTE: Follow-up phone calls (vishing) to recipients also reported

OCTOBER 2025 — CRYPTOCHAMELEON CAMPAIGN (2nd wave):
  PRIMARY DOMAIN: lastpassrecovery[.]com
  THREAT ACTOR: CryptoChameleon / UNC5356 (Google Threat Intelligence)
  SPOOFED SENDER: alerts@lastpass[.]com
  SUBJECT: "Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED)"
  PASSKEY HARVESTING DOMAINS: mypasskey[.]info / passkeysetup[.]com
  CRYPTO EXCHANGE TARGETS: Coinbase / Binance / Gemini / Kraken / Uphold
  ASSOCIATED INFRASTRUCTURE: NICENIC bulletproof hosting
  NOTE: Vishing (phone call) component confirmed; passkey (FIDO2/WebAuthn) credential theft attempted

OCTOBER 2025 — FAKE UPDATE CAMPAIGN (1st wave):
  DOMAINS: lastpassdesktop[.]com / lastpassgazette[.]blog /
    lastpassdesktop[.]app (registered for future use)
  SENDING ADDRESSES: hello@lastpasspulse[.]blog /
    hello@lastpassgazette[.]blog
  HOSTING IPs: 172.67.147[.]36 / 172.67.219[.]2 / 84.32.84[.]32
  BULLETPROOF HOST: NICENIC

REPORTING CONTACT:
  

Why This Works: The Psychology of Inherited Trust

Beyond the technical mechanics, these campaigns succeed because of something researchers call inherited trust — the phenomenon where a well-known brand's credibility is borrowed by attackers to make fraudulent communications appear legitimate. LastPass has tens of millions of users. It manages credentials for some of those users' most sensitive accounts: banking, healthcare, work systems, cryptocurrency exchanges. When an email arrives appearing to be from LastPass with urgent security language, the instinct to act quickly is hard to suppress even for security-aware users.

The fake email chain technique in the March 2026 campaign is a particularly sharp implementation of this psychology. Rather than a cold notification, the user is presented with what appears to be an ongoing situation — evidence that someone has already tried to access their account, and that LastPass support is already involved. The user is not being asked to initiate something. They are being prompted to respond to something that is already happening. This removes the moment of hesitation that a cold phishing email might trigger. The user feels they are reacting rather than acting, which lowers the psychological friction of clicking the link.

The choice of specific action labels matters too. "Revoke device," "disconnect and lock vault," and "report suspicious activity" are all defensive actions. Users are not being asked to hand over their master password directly. They are being asked to protect themselves. The credential harvesting page is the second step, presented only after the user has already made the decision to engage.

The Bigger Picture: What This Means for Password Manager Security

The ongoing targeting of LastPass users is not an argument against using password managers. It is an argument for using them with clear eyes about their security model and their limitations.

Password managers concentrate risk. That is an inherent property of any system that aggregates secrets. The value proposition — stronger, unique passwords for every site, remembered for you — is genuine and the security benefit relative to password reuse is substantial. But concentration of risk means that the single point of failure, the master password, must be treated with exceptional care. It must be long, unique, and never shared. It must never be entered anywhere except directly into the password manager's own official interface.

One technical detail that almost all mainstream coverage omits is why "zero knowledge" encryption did not protect users with weak master passwords. LastPass derived vault encryption keys from master passwords using PBKDF2-SHA256. At the time of the breach, the default iteration count for many accounts was 100,100 — meaning the hash was computed 100,100 times to slow down brute-force cracking. This sounds significant. In practice, attackers using modern GPU hardware can test billions of hash combinations per second. A 100,100-iteration PBKDF2 hash offers substantial protection for a random, long passphrase, but provides relatively limited protection against an eight-character password derived from a dictionary word or a simple substitution pattern. The attack surface is not the encryption algorithm — 256-bit AES is not being broken — it is the entropy of the master password itself. Accounts with low-entropy master passwords that were protected by fewer PBKDF2 iterations (LastPass had set some legacy accounts as low as 5,000 iterations) are particularly vulnerable to offline cracking, with some researchers noting these could be cracked in hours with widely available GPU hardware. This is why the stolen vaults remain a live threat years later: attackers can methodically work through lower-entropy vaults, and as GPU technology advances, the cracking threshold for what constitutes a "strong enough" password rises.

The breach prompted a second important observation that is less often discussed: the security of DevOps infrastructure. The breach that enabled vault data exfiltration did not begin with a sophisticated zero-day exploit. It began with a home computer running an unpatched version of Plex Media Server — a version roughly 75 releases behind the then-current version. The specific vulnerability exploited was CVE-2020-5741, a deserialization flaw in Plex Media Server on Windows (CVSS score: 7.2) that allows a remote, authenticated attacker to execute arbitrary Python code via the Camera Upload feature. One critical detail often omitted in coverage: CVE-2020-5741 required the attacker to already possess valid Plex server administrator credentials to exploit it. According to research reported by PCMag and confirmed by Plex, those credentials were obtained via a separate third-party data breach — meaning the attack chain involved at least three compromises: a third-party breach that provided the Plex admin credentials, the exploitation of the unpatched Plex vulnerability to gain code execution, and then the keylogger deployment to capture the LastPass master password. Plex had patched this vulnerability in version 1.19.3.2764, released on May 7, 2020. The LastPass DevOps engineer never applied that patch. The subsequent keylogger capture of that engineer's master password was not a failure of cryptography or zero-knowledge architecture. It was a failure of endpoint hygiene — and of whatever BYOD policy permitted a high-privilege employee with access to customer vault decryption keys to run a personal media server on the same machine used for work. The ICO's penalty notice specifically found that LastPass's policy of allowing senior staff to link personal and business accounts — both accessible with the same master password — was a material security failure that contributed directly to the breach. That detail deserves considerably more attention than it typically receives.

From a user perspective, the takeaways are clear. Enable multifactor authentication on your password manager account. LastPass supports authenticator apps, hardware security keys, and biometric options. MFA does not protect against a master password phished via a fake login page if the attacker moves quickly enough to use the captured credential before any session expires — but it significantly raises the cost and complexity of account compromise in the majority of scenarios.

Check the actual sender address on any security-related email, particularly on mobile. This single habit neutralizes display name spoofing entirely. The technique only works when the recipient does not look past the display name. On iOS Mail or the Gmail app, tapping the sender name once will expand it to show the full address. That two-second check is the difference between a successful and unsuccessful phishing attempt in many cases.

If you stored cryptocurrency seed phrases or private keys in LastPass before or during 2022, treat those keys as compromised. Move assets to new wallets generated on a fresh, offline device. The timeline of crypto thefts linked to the 2022 breach is not abstract: the $150 million heist from Chris Larsen's Ripple wallet — 283 million XRP stolen, first publicly confirmed by Larsen on January 31, 2024 — was federally confirmed as LastPass-linked when U.S. prosecutors filed a forfeiture complaint on March 6, 2025, made public by blockchain investigator ZachXBT the following day. TRM Labs traced a further $35 million across 2024 and into September 2025, noting consistent laundering behavior pointing to Russian cybercriminal involvement — funds routed through Wasabi Wallet and off-ramped via OFAC-sanctioned Cryptex and Audi6, two Russia-associated exchanges. The Security Alliance estimated total documented losses attributable to the breach at over $438 million as of mid-2025. These are not hypothetical risks. The vaults are out there and the attackers are still working through them.

Finally, if you remain a LastPass user, the company has stated it is working with Forta Brand Protection and directly with hosting providers to execute takedowns of phishing infrastructure. Customers who receive suspicious communications should forward them to . Reporting is not just a formality — it directly feeds the takedown operation and helps protect other users faster.

Key Takeaways

1. The 2022 breach has not ended: Stolen vault data is actively being cracked and monetized years after the initial compromise. The current phishing campaigns are a direct continuation of that breach, aimed at obtaining master passwords to unlock vaults that attackers already possess. A federal forfeiture complaint filed March 6, 2025 by U.S. prosecutors in northern California linked the $150 million Ripple heist of January 2024 to the LastPass breach. The Security Alliance estimated total documented losses from the breach at over $438 million as of mid-2025.
2. There have been four campaigns, not three: October 2025 saw two separate waves — the fake breach alert and the CryptoChameleon "fake death" campaign. Both are distinct operations. The CryptoChameleon campaign added phone calls (vishing) as a pressure mechanism and has been formally attributed by Google Threat Intelligence to a known cybercriminal group. Critically, the CryptoChameleon campaign also targeted passkey credentials (FIDO2/WebAuthn) via dedicated harvesting domains — a largely underreported escalation that signals attackers are beginning to adapt their toolkits to steal the newer, passwordless credentials that many users believe offer stronger protection.
3. Display name spoofing is the core delivery mechanism: All four campaigns rely on manipulating the sender display name while hiding the actual sending address. Expanding the sender field on any security-related email is the single most effective individual defense against this technique.
4. The fake email chain tactic represents an escalation in sophistication: The March 2026 campaign moved from simple spoofed notifications to constructed multi-party email threads designed to create urgency through the appearance of ongoing, real-time events. This is a notable evolution that will likely appear in campaigns targeting other brands.
5. LastPass will never ask for your master password: In any email, any phone call, any chat. Any request for your master password is fraudulent by definition, regardless of how legitimate the message appears. Navigate directly to the official application or website if you need to take account security action.
6. MFA and strong master passwords remain the most impactful mitigations: A long, unique master password resists offline cracking of any stolen vault data. MFA raises the cost of live account compromise. These two controls address both the offline and online threat vectors simultaneously.

The sustained campaign against LastPass users is a reminder that breach consequences rarely end cleanly. Data stolen in 2022 is still being worked through in 2026. The phishing campaigns layered on top of that stolen data represent attackers doing exactly what they said they would do in the 2022 advisory itself: targeting customers with phishing attempts, credential stuffing, and social engineering. The warning was accurate. What wasn't anticipated by many observers was how patient and methodical the follow-on exploitation would be — four distinct campaigns across five months, attribution to a known organized cybercriminal group, phone-based vishing as a pressure supplement, dedicated passkey-harvesting infrastructure appearing in the CryptoChameleon wave, and on-chain evidence pointing to Russian criminal infrastructure still laundering stolen funds as recently as October 2025. The Security Alliance's estimate of $438 million in documented losses from the breach — a figure that almost certainly understates the true total — puts the scale of ongoing harm in terms that the $24.45 million settlement doesn't fully reflect. LastPass has consistently stated it has seen no "conclusive evidence that directly connects these crypto thefts to LastPass." Federal prosecutors, the FBI, and the U.S. Secret Service have reached a different conclusion. The question is whether enough users are taking all of that seriously three years later.