Password management software provider LastPass is warning users of a phishing campaign targeting its users with fake unauthorized account access alerts.

The emails impersonate a LastPass representative by spoofing the display name and use subject lines crafted to mimic forwarded internal conversations between attackers and the company’s customer support team about a request to change the account’s primary email address.

The email chains are forwarded to the target in an attempt to prompt them to respond to the suspicious activity with urgency and click on links named “report suspicious activity,” “disconnect and lock vault,” and “revoke device.”

In doing so, users are directed to a fake LastPass login page hosted on the domain “verify-lastpass[.]com” that collects LastPass user credentials.

The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) notes in a report that apart from this primary domain, the attacker also uses slightly modified URLs that redirect to the same phishing page.

LastPass notes that multiple sender addresses and subject lines are used in the campaign to increase credibility and make tracing more difficult.

Most sender addresses are completely unrelated to the LastPass brand, set up from compromised websites or abandoned domains, but the attackers try to hide them by using the ‘LastPass Support’ display name.

The company underlined that its infrastructure has not been compromised in any way, and there’s no impact on its systems.

Moreover, it reminded customers that its support agents will never ask for their master password and that users should never disclose it to anyone.

LastPass is working with third-party partners to take down the fake websites as soon as possible, while urging users who receive suspicious communications to report them to ‘[email protected].’

LastPass’s popularity makes the service a frequent target of phishing campaigns. Earlier this year, in January, LastPass warned of another phishing campaign that distributed fake maintenance notifications, asking users to back up their vaults within 24 hours and redirecting them to phishing pages.

In late 2025, two more campaigns targeting LastPass occurred: one leveraging fake user death claims, and the other claiming the company had been hacked and urging users to download a new version of the client app.