LastPass warned users about an active phishing campaign that spoofs its display name and sends fake security alerts to trick victims into revealing their master password. The emails direct recipients to a fraudulent SSO site to harvest credentials and LastPass urges users to report suspicious messages. #LastPass #verify-lastpass
Keypoints
- The phishing campaign began around March 1, 2026 and is currently active.
- Attackers spoof LastPass display names and forward fake threads about unauthorized access or device registration.
- Links in the emails lead to a fake SSO page at verify-lastpass[.]com that collects master passwords.
- The scam leverages display-name spoofing, which hides the real sender address in many email clients, especially on mobile.
- LastPass says it will never ask for a master password, is working to take down phishing sites, and provides IoCs while urging users to report suspicious emails to [emailΒ protected].