LastPass ‘create backup’ email is a phishing scam targeting your master password

Attackers are abusing maintenance-themed alerts to steal master passwords from LastPass users.

Password managers are still top-tier targets

Password managers remain in the middle of attackers’ crosshairs, largely because a single successful compromise can unlock access to dozens, or even hundreds, of online accounts. In a recent alert, LastPass warned users of a phishing campaign trying to exploit that reality by masquerading as an urgent maintenance notice.

The fraudulent emails claims that users must take immediate action ahead of scheduled service work. Recipients are told they need to back up their password vaults within a tight 24-hour timeframe, a common pressure tactic designed to override caution and prompt hasty clicks.

How the phishing emails create urgency

According to the company’s advisory, the campaign, which started circulating around Jan. 19, used multiple sender addresses and subject lines, all centered on alleged LastPass maintenance activity. This is a common technique used to bypass email filters and increase the likelihood of reaching inboxes.

The company emphasized that it is not asking users to perform emergency vault backups and reiterated a core security principle: legitimate LastPass communications will never ask for a master password. The emails are crafted to instill a sense of urgency, a hallmark of social engineering, rather than reflect any real critical situation.

Where the links actually lead

The emails include a prominent “create backup” link that looks legitimate at first glance. Clicking it, however, sends victims through a chain of external domains before landing on a phishing page designed to harvest login credentials.

Rather than backing up anything, users who enter their master password risk exposing their entire data trove, including account credentials, payment details and sensitive notes. Such a level of access could immediately be weaponized for identity theft, account takeover or financial fraud.

Timing and repetition could mark a pattern

This is not the first time LastPass users have been targeted in this manner. Only weeks earlier, a phishing wave sought to trick recipients into confirming they were still alive. This recurring pattern could signal sustained interest from attackers.

Notably, the latest messages were sent during a US holiday weekend, a period when internal reporting and response may be slower. LastPass said it is working with partners to take down the malicious infrastructure and has shared indicators of compromise to support defensive efforts and threat hunting.

Protecting yourself from password manager phishing scams

Tools like Bitdefender Scamio can help users quickly assess suspicious emails, links, messages, images or QR codes by analyzing shared content for common scam indicators. In campaigns built on urgency and brand impersonation, that extra moment of verification can prevent irreversible account compromise.