Alexander Culafi , Senior News Writer , Dark Reading January 21, 2026 3 Min Read Source: DecaStock via Alamy Stock Photo An ongoing phishing campaign is targeting customers of password management vendor LastPass. LastPass itself disclosed the campaign via a Jan. 20 blog post. According to the vendor's Threat Intelligence, Mitigation, and Escalation (TIME) team, attackers began targeting customer vaults on or around Jan. 19 , which the post notes fell on a holiday weekend in the US (Martin Luther King Jr. Day). Cybercriminals sometimes choose holiday weekends to conduct threat activity with the understanding that IT and security teams will have fewer staff on hand. The emails come from several addresses, with multiple subject lines, generally encouraging customers to "back up their vaults" due to impending "scheduled maintenance." Some of the email addresses look fairly plausible, such as support@lastpass[.]server8; the body of the email also looks plausible enough to have come from a legitimate company. Example subject lines include "LastPass Infrastructure Update: Secure Your Vault Now"; "Your Data, Your Protection: Create a Backup Before Maintenance"; "Don't Miss Out: Backup Your Vault Before Maintenance"; "Important: LastPass Maintenance & Your Vault Security"; and "Protect Your Passwords: Backup Your Vault (24-Hour Window)." Thanks to things like generative AI (GenAI), attackers are on the front foot with how they can generate believable phishing emails. While many still have typos and strange formatting, as expected, an increasing number include perfect grammar and fancy HTML elements, thanks to LLM-powered text and code editors. The emails lead to a phishing site where the user would enter their login credentials, potentially giving the attacker access to the user's entire vault. This is a security nightmare scenario for individuals and businesses, as one lapse of judgment or manually scanning an email could have catastrophic consequences. Avoiding a LastPass Phishing Nightmare That said, password managers are broadly considered good information security hygiene. Cared for properly, they can offload the work of remembering passwords, prevent one from using weak passwords that can be easily cracked, and make it so one doesn't feel compelled to store passwords with something like a Post-it or note-taking app. "Please remember that no one at LastPass will ever ask for your master password," LastPass said in its advisory post. "In the meantime, please take the appropriate precautions and, as always, if you are ever unsure whether a LastPass branded email is legitimate, submit it to [email protected] ." Users should pay close attention to emails claiming to be from LastPass in the coming days, and remember to check the email addresses and subject lines for possible signs of phishing lures . And broadly, individuals and organizations should familiarize themselves with common social engineering tactics and, where appropriate, consider phishing resistant authentication mechanisms. For users that want to protect their password vaults further, LastPass includes multifactor authentication features such as compatibility with authenticator apps and hardware keys, biometric verification, and contextual (such as location-based) authentication. Other password managers on the market also have secondary authentication features. A LastPass spokesperson tells Dark Reading that although LastPass is unsure how many customers were targeted in this campaign, "there is no indication, at this time, that any accounts were compromised." Regarding threat actor attribution, the spokesperson says, "The overall tactics and broad customer targeting aligns closest with cybercriminal groups." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. See more from Alexander Culafi