LastPass Warns of Active Phishing Campaign Impersonating Brand

LastPass Issues Alert on Active Phishing Campaign Falsely Claiming a Hack

MEDIUM
October 13, 2025
4m read
PhishingSecurity Operations

Related Entities

Organizations

Cloudflare

Products & Tech

LastPass

Other

NICENIC

MITRE ATT&CK Techniques

T1566.002Initial Access

Spearphishing Link

T1598.003Reconnaissance

Spearphishing via Service

T1204.001Execution

Malicious Link

T1586.002Resource Development

Email Accounts

Full Report

Executive Summary

LastPass has issued an urgent warning to its customers about an ongoing phishing campaign detected on October 13, 2025. The campaign uses social engineering tactics, sending emails that falsely claim LastPass has been hacked. These emails pressure users to click a link to a new desktop app to "maintain vault security." The link leads to a well-crafted phishing site designed to harvest the user's master password. LastPass has affirmed that its systems have not been breached and that this is a malicious attempt to steal user credentials. The campaign was strategically launched over a holiday weekend in the U.S. to slow detection and response.

Threat Overview

This is a classic credential phishing campaign that relies on impersonation and creating a false sense of urgency.

  • Attack Vector: Spearphishing via Service (T1598.003). The attackers send emails that appear to be official communications from LastPass.
  • Email Details:
    • Sender: hello@lastpasspulse[.]blog
    • Subject: We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security
  • Social Engineering: The subject line and email body are designed to cause panic, making users more likely to act impulsively without scrutinizing the email's legitimacy.
  • Malicious Infrastructure:
    • The email link directs users to a phishing site hosted at lastpassdesktop[.]com.
    • A second domain, lastpassdesktop[.]app, has also been registered, likely for future use.
    • The phishing site is hosted on NICENIC, a provider known for offering "bulletproof" hosting services, which makes takedowns more difficult.

Impact Assessment

The primary and most severe impact is the potential theft of a user's LastPass master password.

A compromised master password gives an attacker complete access to a user's entire password vault. This includes credentials for all saved websites, secure notes, and other sensitive data.

This would lead to a catastrophic personal data breach for the victim, enabling attackers to:

  • Access their email, banking, social media, and work-related accounts.
  • Commit financial fraud and identity theft.
  • Leverage compromised work credentials to attack the victim's employer.

IOCs

Type Value Description
Domain lastpassdesktop[.]com Primary phishing site domain.
Domain lastpassdesktop[.]app Secondary registered domain for the campaign.
Email Address hello@lastpasspulse[.]blog Sender address used in the phishing emails.

Detection & Response

  • LastPass's Actions: The company is actively working to have the malicious domains taken down. They have also worked with Cloudflare to place a warning page in front of the phishing sites.
  • User Detection: Users should be trained to look for red flags in emails claiming to be from LastPass:
    • Verify the sender's email address. Legitimate emails come from @lastpass.com or @logmein.com.
    • Hover over links before clicking to see the actual destination URL.
    • Be suspicious of any email that creates an extreme sense of urgency or asks for your master password.

Mitigation

  • NEVER Share Your Master Password: LastPass employees will never ask for your master password. Any email, pop-up, or website that asks for it is a scam. This is the most critical piece of user education.
  • Enable Multi-Factor Authentication (MFA): While a stolen master password is devastating, having MFA enabled on your LastPass account can provide an additional layer of protection, especially for new device logins. This is a crucial implementation of Multi-factor Authentication (M1032).
  • Report Suspicious Emails: Users who receive this or any other suspicious email should not click any links or download attachments. They should report it to LastPass directly via their official channels.
  • Access LastPass Securely: Always access your LastPass vault by typing lastpass.com directly into your browser or by using the official browser extension or mobile app. Do not rely on links in emails.

Timeline of Events

1
October 13, 2025
LastPass detects and issues a public warning about the active phishing campaign.
2
October 13, 2025
This article was published

MITRE ATT&CK Mitigations

User Training

M1017enterprise

The most effective mitigation is training users to recognize phishing attempts and to never share their master password.

Multi-factor Authentication

M1032enterprise

Enabling MFA on LastPass accounts provides a critical layer of security against master password compromise.

Filter Network Traffic

M1037enterprise

Blocking the malicious domains and sender addresses at the network and email gateway level can prevent the attack from reaching users.

D3FEND Defensive Countermeasures

Multi-factor Authentication

D3-MFAMaps to MITREM1032
D3FEND

The single most effective technical defense against the LastPass phishing campaign is the universal enforcement of Multi-factor Authentication (MFA) on all LastPass accounts. Even if a user is tricked into entering their master password on the phishing site lastpassdesktop[.]com, the attacker cannot access the vault without the second factor (e.g., a code from an authenticator app, a hardware key, or a biometric prompt). Organizations should enforce this via LastPass enterprise policies, and individual users should enable it immediately in their account settings. This technique acts as a critical failsafe, neutralizing the primary goal of the credential harvesting attack.

DNS Denylisting

D3-DNSDLMaps to MITREM1021
D3FEND

To proactively block the LastPass phishing campaign, security teams should immediately implement DNS Denylisting for the known malicious domains. Add lastpassdesktop[.]com, lastpassdesktop[.]app, and the sender's domain lastpasspulse[.]blog to your organization's DNS sinkhole or secure DNS service (like Cisco Umbrella or Quad9). This will prevent any user who clicks the phishing link from ever reaching the malicious site, as the DNS request will be blocked. This is a highly effective, low-overhead method to neutralize the known infrastructure of this specific campaign and protect users who might otherwise fall for the scam.

Sources & References

October 13 Phishing Campaign Leveraging LastPass Branding
LastPass (blog.lastpass.com) October 13, 2025
LastPass warns of new phishing attack claiming they were hacked
BleepingComputer (bleepingcomputer.com) October 13, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

LastPassPhishingCredential TheftSocial EngineeringMFA

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next