LastPass Users Targeted by Sophisticated Phishing Campaign Spoofing Security Alerts

LastPass users are being targeted by a sophisticated phishing campaign that uses spoofed security alert emails and display name spoofing to trick users into revealing their master passwords, Security Affairs reported on March 5, 2026. The campaign impersonates legitimate LastPass security notifications and constructs convincing fake email threads to create urgency, a technique that is particularly dangerous for password manager users given that master password compromise defeats the entire security model. LastPass has previously experienced significant data breaches in 2022 and 2023, meaning attackers may be targeting the existing user base with credentials harvested from those earlier events.

Key Takeaways

• LastPass phishing campaign uses spoofed security alert emails with display name spoofing to steal master passwords — reported by Security Affairs, March 5, 2026
• Attack employs fake email threads and social engineering mimicking LastPass account security notifications; targets the full encrypted vault access tied to the master password
• LastPass suffered major breaches in 2022 and 2023 (source code, encrypted vaults, customer metadata stolen); current campaign may leverage knowledge of affected accounts

Original source: Security Affairs