Don't click on the LastPass 'create backup' link - it's a scam
(2026/01/21)
- Reference: 1769019033
- News link: https://www.theregister.co.uk/2026/01/21/lastpass_backup_phishing_campaign/
- Source link:
Password managers make great targets for attackers because they can hold many of the keys to your kingdom. Now, LastPass has warned customers about phishing emails claiming that action is required ahead of scheduled maintenance and told them not to fall for the scam.
According to LastPass, the latest [1]phishing campaign began around January 19 with emails being sent from several addresses with multiple subject lines. All of these are about LastPass maintenance, and they all urge customers to back up their vaults within 24 hours.
"Please be advised that LastPass is NOT asking customers to backup their vaults in the next 24 hours," the company [2]said in a Monday security advisory.
[3]
"This is an attempt on the part of a malicious actor to generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails," the alert continued. "Please remember that no one at LastPass will ever ask for your master password."
[4]
[5]
LastPass vaults contain customers' most sensitive information - usernames, passwords, credit card details, and secure notes - protected by a single master password. This makes LastPass a constant target for criminals who can use these details for all sorts of financial and identity fraud.
Just two months ago, the password manager sounded the alarm on another phishing campaign asking users to [6]confirm that they aren't dead .
[7]
The emails were sent over the Martin Luther King Jr. holiday weekend in the US, and this timing reflects another trick that fraudsters use. Because many people have the day off work, there are likely fewer employees to report the scam, which usually helps postpone detection of the phishing campaign.
A screenshot of a January 20 phishing email includes a link purporting to allow customers to "create backup now." But instead of backing up their LastPass vault, it redirects victims, first to: group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf
And then: mail-lastpass[.]com.
[8]LastPass hammered with £1.2M fine for 2022 breach fiasco
[9]Attackers targeting unpatched Cisco kit notice malware implant removal, install it again
[10]AI makes phishing 4.5x more effective, Microsoft says
[11]One criminal, 50 hacked organizations, and all because MFA wasn't turned on
Instead of helping customers back up their vaults, however, clicking on the link redirects victims to a phishing site designed to [12]trick them into handing over that master password, potentially exposing the credentials stored in their LastPass vault.
"Rest assured, we are working with our third-party partners to have this domain taken down as soon as possible," LastPass said in its online advisory.
[13]
LastPass did not immediately respond to The Register's inquiries, including how many customers received phishing emails and fell victim to the scam. We will update this story when we receive a response.
The advisory also includes a list of malicious URLs and associated IP addresses, along with email addresses sending the phishes and subject lines - so check those out to help with threat hunting efforts. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[2] https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/11/02/cyber_exec_pleads_guilty_to/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/12/11/lastpass_ico_fine/
[9] https://www.theregister.com/2025/11/02/cyber_exec_pleads_guilty_to/
[10] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[11] https://www.theregister.com/2026/01/06/50_global_orgs_hacked/
[12] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
According to LastPass, the latest [1]phishing campaign began around January 19 with emails being sent from several addresses with multiple subject lines. All of these are about LastPass maintenance, and they all urge customers to back up their vaults within 24 hours.
"Please be advised that LastPass is NOT asking customers to backup their vaults in the next 24 hours," the company [2]said in a Monday security advisory.
[3]
"This is an attempt on the part of a malicious actor to generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails," the alert continued. "Please remember that no one at LastPass will ever ask for your master password."
[4]
[5]
LastPass vaults contain customers' most sensitive information - usernames, passwords, credit card details, and secure notes - protected by a single master password. This makes LastPass a constant target for criminals who can use these details for all sorts of financial and identity fraud.
Just two months ago, the password manager sounded the alarm on another phishing campaign asking users to [6]confirm that they aren't dead .
[7]
The emails were sent over the Martin Luther King Jr. holiday weekend in the US, and this timing reflects another trick that fraudsters use. Because many people have the day off work, there are likely fewer employees to report the scam, which usually helps postpone detection of the phishing campaign.
A screenshot of a January 20 phishing email includes a link purporting to allow customers to "create backup now." But instead of backing up their LastPass vault, it redirects victims, first to: group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf
And then: mail-lastpass[.]com.
[8]LastPass hammered with £1.2M fine for 2022 breach fiasco
[9]Attackers targeting unpatched Cisco kit notice malware implant removal, install it again
[10]AI makes phishing 4.5x more effective, Microsoft says
[11]One criminal, 50 hacked organizations, and all because MFA wasn't turned on
Instead of helping customers back up their vaults, however, clicking on the link redirects victims to a phishing site designed to [12]trick them into handing over that master password, potentially exposing the credentials stored in their LastPass vault.
"Rest assured, we are working with our third-party partners to have this domain taken down as soon as possible," LastPass said in its online advisory.
[13]
LastPass did not immediately respond to The Register's inquiries, including how many customers received phishing emails and fell victim to the scam. We will update this story when we receive a response.
The advisory also includes a list of malicious URLs and associated IP addresses, along with email addresses sending the phishes and subject lines - so check those out to help with threat hunting efforts. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[2] https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/11/02/cyber_exec_pleads_guilty_to/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/12/11/lastpass_ico_fine/
[9] https://www.theregister.com/2025/11/02/cyber_exec_pleads_guilty_to/
[10] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[11] https://www.theregister.com/2026/01/06/50_global_orgs_hacked/
[12] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXFamH_y7R55PK-AJ0ayVAAAAMw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
Re: I'm amazed this still works
Richard 12
It works because every company sends lots of genuine emails with links in them.
It works pretty often because said companies very often use third party link shorteners and worse.
Re: I'm amazed this still works
Anonymous Coward
That's because their processes are badly designed and implemented.
Re: I'm amazed this still works
Gene Cash
Well, yeah, and I still have to deal with the morons.
My local credit union (like a building society I think?) sends out all sorts of crap from all sorts of non-related addresses, then wonders why they need 30 different notices on their front page that "email x is a scam"
Excused Boots
Sorry but ‘Lastpass’? Is this the same company that suffered a breech a couple of years ago that coughed up all of their (admittedly encrypted) customer passwords a few years ago? Cough, rainbow tables, cough!
I didn’t realise that they sere still going, I’d have thought they were about as welcome as a major syphilis outbreak.But then what would I know about how companies run?
Anonymous Coward
Name one that hasn't and won't ever have such a breech. We'll wait.
Rory B Bellows
The password managers one weakness... the password
I'm amazed this still works
After all the rule is very simple and requires absolutely no knowledge whatsoever (even your old aunt can manage, mine does): Never ever click on a link sent in an email! Period.
If you suspect the message might be genuine, go by your own means (i.e. bookmark) to your account and check for any relevant information.