Securing your LastPass account against phishing threats

Phishing emails aimed at LastPass users are trying to steal your master password. The fix is boring, but it works: check the message properly, harden the account, and do not trust anything that asks for secrets by email.

Recognising Phishing Threats

Common phishing methods

  • Credential harvesting pages. An attacker sends an email with a link that looks like LastPass. The link leads to a page asking for your master password. That is the main trick in recent campaigns. See a recent example here.
  • Malicious attachments or installers. Emails telling you to download a “security update” or a patched desktop app can carry malware that records keystrokes or steals vault data.
  • Voice and SMS social engineering. Attackers call or text, push urgency, and try to get you to click or read a code aloud. The pressure is part of the attack.

What phishing emails usually look like

  • Wrong sender domain. The display name might say “LastPass”, but the sending address will be odd. Check the full email address.
  • Urgent, alarming language that pushes you to act. Typical subject lines in the campaign I’m referring to include “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED)”. See reporting on that campaign here.
  • Links that do not match the domain. Hover to view the actual URL before clicking. Shortened or obfuscated links are a red flag.
  • Requests for the master password, one-time codes, or an exported vault. LastPass will never ask you to send a master password.

Phishing is a social attack. Technical controls help, but they do not matter much once someone has clicked a link or typed a password into a fake page. Check every LastPass-looking message the same way:

  1. Check the sender address.
  2. Hover links, do not click.
  3. If the email references an action you did not perform, open your LastPass vault in a new browser window and check notifications there, not via the email link.

If an email looks off, report it to LastPass using their phishing report process so they can deal with the sender and domain.

Implementing Security Measures

Multi-Factor Authentication
Turn on multi-factor authentication for LastPass and pick a phishing-resistant option. Use FIDO2 security keys or an authenticator app that supports push or TOTP. Do not rely on SMS codes alone; those can be intercepted or coerced. In LastPass, add at least two MFA methods so you have a fallback if a key or device fails. Test each method after setup: log out and log back in, then confirm the second factor prompts as expected.

Creating Strong Passwords
Your master password is the most sensitive secret in the account. Make it long and unique. I use a passphrase of 16–24 characters with mixed words and punctuation. Do not reuse it elsewhere. If you prefer entropy, use a 20+ character random string generated by a reputable password generator. Store recovery hints offline, not in the vault. Enable the extra account secret key if your LastPass plan supports it; that adds another secret phishers cannot ask for over email.

Regular Security Audits
Run periodic checks of your LastPass vault. Look for:

  • Unfamiliar or duplicate logins.
  • Recently added vault items you did not create.
  • Items with weak or breached passwords reported by LastPass auditing tools. Replace weak entries with new, unique passwords.

Schedule an audit every quarter and after any suspected incident. Keep a local, encrypted backup of critical credentials. Rotate the highest-value credentials first: email, bank, crypto accounts, and your LastPass master password itself if you suspect a compromise.

Reporting Suspicious Activity
If you find a suspicious email or a fake login page, do three things:

  1. Do not enter any credentials. Close the page.
  2. Forward the original email to LastPass support via their phishing report channel so they can investigate. Use the support link I referenced earlier.
  3. Change your master password from a trusted device and sign out all sessions in LastPass if you suspect exposure. Revoke any unknown sessions and remove devices you no longer use.

Concrete steps to run now

  • Enable a FIDO2 key in LastPass and register a second MFA method.
  • Change your master password to a long passphrase.
  • Run a vault audit and fix any weak or reused entries.
  • Add the account secret key if available.
  • Report any odd LastPass emails to LastPass support immediately.

I keep this tight because phishing depends on speed and panic. Slow down, check the sender, open LastPass directly, and use phishing-resistant multi-factor authentication. That cuts the chance of losing your vault to a scam.

Links: Computerworld article on the campaign, LastPass phishing report and guidance

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes