LastPass Warns of Slick New Phishing Scam That Fakes Email “Threads” to Steal Your Master Password

LastPass is warning customers about a new phishing campaign designed to look like an internal email chain—complete with a fake “support” agent and a supposed attacker asking to disable two-factor authentication.

The goal is simple: scare you into clicking a link and typing in your master password on a convincing-looking login page. And because a password manager is the keys to your entire digital life, the payoff for criminals can be massive.

According to LastPass, the campaign ramped up in early March 2026 and uses multiple sender addresses and shifting subject lines to dodge spam filters and user suspicion.

A phishing scam built like a screenplay, not a one-off “click here” email

This isn’t the usual sloppy message telling you to “secure your account.” The scam is staged as a forwarded conversation—an email thread that appears to show LastPass support responding to an urgent request tied to your account.

In the thread, the “attacker” (often pretending to be you) asks for high-risk actions like removing 2FA, resetting access, or initiating account recovery. The fake support rep appears to comply, then drops a link that supposedly lets you “take back control.”

That sense of urgency is the hook. The message is engineered to make you think your vault is being drained right now—so you react fast instead of verifying what you’re looking at.

The mobile trap: “LastPass Support” up top, the real sender hidden underneath

LastPass says the campaign leans heavily on display-name spoofing—making the sender name read “LastPass Support” even though the underlying email address has nothing to do with the company.

On phones, that trick is especially effective. Many mail apps emphasize the display name and bury the actual address behind a tap or a details menu. If you’re scanning messages between meetings or on a commute, attackers are betting you won’t dig deeper.

The result: a message that feels official at a glance, even when the technical details don’t match.

Fake SSO login pages—like verify-lastpass[.]com—designed to harvest credentials

The link in these emails can route through redirects and land on a domain made to look legitimate—LastPass cited examples pointing to sites like verify-lastpass[.]com—hosting a cloned single sign-on (SSO) login page.

The page is meant to feel familiar: email field, password field, branding that resembles the real thing. Once you type your credentials, you’re not logging in—you’re handing them to criminals.

LastPass emphasized a key rule: the company says it will never ask you for your master password. If an email pushes you to enter it—especially through a link—treat it as a phishing attempt.

LastPass says its systems weren’t breached—this is social engineering aimed at you

In its alert, LastPass said its infrastructure remains secure and that the emails aren’t being sent from LastPass domains. In other words, this isn’t a case of hackers inside LastPass blasting official messages.

But that doesn’t make it a minor threat. Social engineering attacks don’t need to break into a company’s servers if they can convince users to give up the keys voluntarily.

LastPass says it’s working to get malicious sites taken down, but it’s a whack-a-mole problem: one domain disappears, another pops up, and the email templates keep evolving.

What to do if you get one of these emails—or if you already clicked

Start with the basics: don’t click links in unexpected “security” emails. Instead, open the LastPass app or type the official website address yourself and check your account from there.

Force yourself to verify the sender details—especially on mobile. Don’t trust the display name. Look at the full email address and the domain behind it.

If you clicked and entered your credentials, act immediately: change your master password through the real app or site, review connected devices and trusted access, and contact support through official channels. If this happened at work, notify your IT/security team—fast—because one compromised vault can cascade into email, payroll, internal tools, and shared accounts.