LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team would like to alert our customers to an active phishing campaign that began on or around January 19, 2026. These phishing emails are being sent from several email addresses with various subject lines claiming that LastPass is about to conduct maintenance and urging users to backup their vaults in the next 24 hours. The known list of email addresses and subject lines can be found below.
Please be advised that LastPass is NOT asking customers to backup their vaults in the next 24 hours; rather, this is an attempt on the part of a malicious actor to generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails.
The below image displays the body of an example email we have observed with a link purporting to take potential victims to a site that will supposedly allow recipients to create backups of their vault. Instead, this link will actually direct victims to a phishing site hosted at “group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf” which then redirects to “mail-lastpass[.]com.” The timing of the campaign, which fell over a holiday weekend in the United States, is a common tactic among threat actors seeking to take advantage of reduced staffing under the assumption it will postpone detection and draw out response time.
Body of Current Phishing Email as of January 20, 2026
Please remember that no one at LastPass will ever ask for your master password. Rest assured, we are working with our third-party partners to have this domain taken down as soon as possible. In the meantime, please take the appropriate precautions and, as always, if you are ever unsure whether a LastPass branded email is legitimate, submit it to abuse@lastpass.com. We would like to thank our customers who have already submitted this email for their vigilance and commitment to keeping our community secure.
Malicious URLs and associated IPs:
- “group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf”
- Serving IP address at time of publication: 52.95.155[.]90
- “mail-lastpass[.]com”
- Associated IP addresses at time of publication:
- 104.21.86[.]78
- 172.67.216[.]232
- 188.114.97[.]3
- Associated IP addresses at time of publication:
Header information:
From:
- support@sr22vegas[.]com
- support@lastpass[.]server8
- support@lastpass[.]server7
- support@lastpass[.]server3
Associated IPs:
- 192.168.16[.]19
- 172.23.182.202
Subjects:
- LastPass Infrastructure Update: Secure Your Vault Now
- Your Data, Your Protection: Create a Backup Before Maintenance
- Don't Miss Out: Backup Your Vault Before Maintenance
- Important: LastPass Maintenance & Your Vault Security
- Protect Your Passwords: Backup Your Vault (24-Hour Window)
