LastPass “create backup” email is a scam, the company warns

Published: 22 January 2026
Last updated: 23 January 2026
LastPass with a hacker
Image by Cybernews.

Scammers are targeting LastPass clients with phishing emails that claim the password manager is about to conduct maintenance and that users should back up their vaults. The attack is still ongoing, LastPass told Cybernews.

Key takeaways:
  • Scammers are impersonating LastPass with phishing emails urging users to back up vaults before fake maintenance windows.
  • The phishing campaign began January 19 and exploited a US holiday to reduce security response visibility.
  • LastPass confirmed it is not requesting vault backups and will never ask users for master passwords.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The phishing campaign was launched on January 19th, with attackers utilizing multiple email addresses and subject lines. According to LastPass, the timing of the attack is not accidental – it targeted users during a holiday in the United States. This is a common tactic, with attackers hoping that fewer security staff will be present.

ADVERTISEMENT

The fraudulent email demands that users take action within the next 24 hours, claiming that LastPass is going into “scheduled maintenance,” and urges them to make backups. The phishing email even provides an explanation for a local backup – operational continuity.

However, as LastPass explained, the company is not asking customers to back up their data.

“Please be advised that LastPass is NOT asking customers to back up their vaults in the next 24 hours,” the company said in an advisory from its Threat Intelligence, Mitigation, and Escalation (TIME) team.

“This is an attempt on the part of a malicious actor to generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails.”

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Losing access to a LastPass vault could be catastrophic for users as it stores all login credentials, including usernames, passwords, payment card details, and other sensitive data. Like many other similar services, LastPass is protected by a master password.

“Please remember that no one at LastPass will ever ask for your master password,” the company said.

According to the TIME team, they observed several subject lines used in an attempt to steal users’ master passwords. The company provided examples, which include:

ADVERTISEMENT
  • LastPass Infrastructure Update: Secure Your Vault Now
  • Your Data, Your Protection: Create a Backup Before Maintenance
  • Don't Miss Out: Backup Your Vault Before Maintenance
  • Important: LastPass Maintenance & Your Vault Security
  • Protect Your Passwords: Backup Your Vault (24-Hour Window)

Meanwhile, TIME observed the messages came from:

  • support@sr22vegas[.]com
  • support@lastpass[.]server8
  • support@lastpass[.]server7
  • support@lastpass[.]server3

Attackers devised the campaign so that the victims who click on the malicious link get redirected to a phishing site, hosted on Amazon AWS, which then transfers users to a legitimate-looking site “mail-lastpass[.]com.”

“Rest assured, we are working with our third-party partners to have this domain taken down as soon as possible,” LastPass explained.

The company explained to Cybernews that it is not aware of how many customers were impacted, but so far there are no indications that any accounts were compromised. However, the company's spokesperon explained, the investigation is still ongoing.

LastPass sued
Image by Shutterstock.

Two months ago, malicious actors targeted the company’s clients with “legacy request” messages, which claim a family member uploaded a death certificate, and users need to verify they’re not dead. LastPass said both attacks do not seem related.

“LastPass is confirming that the suspected threat actors behind the phishing campaign have sent another wave of phishing emails using similar tactics. While the body of the email remains the same as the original campaign, the links in the new wave of emails have been changed following LastPass’ disruption of their initial infrastructure,” LastPass spokesperson said.

According to an updated blog post, attackers changed emails, IPs and added new subject lines.

ADVERTISEMENT

LastPass suffered a major data breach in August 2022, after attackers exfiltrated portions of internal data. Threat actors gained access to a third-party cloud-based storage service that LastPass uses to store backups of its production data.

Reports surfaced last year, linking the hack of Ripple’s co-founder Chris Larsen's crypto accounts to a LastPass breach. In 2024, hackers stole over $100 million from Larsen’s personal XRP accounts and reportedly laundered funds through the biggest crypto exchanges, including Binance.

Updated on January 23rd [07:30 a.m. GMT] with a statement from LastPass.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked