LastPass employees and customers targeted in “pervasive” phishing campaign

Updated on: 15 November 2023

Jurgita Lapienytė
Chief Editor

By Shutterstock

A convincing phishing campaign has targeted LastPass in two waves.

On September 13th, LastPass customers began reporting phishing attempts. A variety of industries, including LastPass's own 87 employees, were targeted in what the company called a widespread, pervasive, and convincing phishing campaign.

Victims first got emails from the address [email protected][.]th, associated with a domain that wasn’t previously linked to malicious activity.

The email contained a link to phishing pages that were hosted on the subdomains of customer-lastpass[.]su.

LastPass partnered with Fortra’s PhishLabs to mitigate the risk. “By the time the first reports started coming in from our customers, a takedown request to each respective service provider for the two suspicious domains was already underway.”

Unfortunately, the attackers registered a similar domain for credential phishing and began a second wave of attacks on September 19th. Several malicious subdomains were taken down within 16 hours from the start of the campaign.

Recently, LastPass was under fire again as a well-known crypto pundit blamed the company for crypto losses. Crypto enthusiasts were reporting unexplained cryptocurrency wallet depletions and linking these crypto heists to the 2022 breaches of the widely-used password manager.