LastPass ‘create backup’ email is a phishing scam targeting your master password

Attackers are once again using urgency and brand impersonation to go after one of the most valuable targets in a person’s digital life: their password manager. In this latest campaign, fake LastPass “maintenance” emails pressure users to click a backup link and hand over the one credential that could unlock everything else, the master password.

Key Takeaways

• The phishing campaign uses fake LastPass maintenance alerts to pressure users into “backing up” their vaults within 24 hours.
• The emails rely on classic social engineering, including urgency, multiple sender addresses, and varied subject lines to appear more credible and bypass filters.
• The “create backup” button does not lead to a legitimate LastPass workflow, but instead routes victims through external domains to a credential-harvesting phishing page.
• LastPass says legitimate communications will never ask for a master password, making any message that does so an immediate red flag.

Password managers are still top-tier targets

Password managers remain in the middle of attackers’ crosshairs, largely because a single successful compromise can unlock access to dozens, or even hundreds, of online accounts. In a recent alert, LastPass warned users of a phishing campaign trying to exploit that reality by masquerading as an urgent maintenance notice.

The fraudulent emails claims that users must take immediate action ahead of scheduled service work. Recipients are told they need to back up their password vaults within a tight 24-hour timeframe, a common pressure tactic designed to override caution and prompt hasty clicks.

How the phishing emails create urgency

According to the company’s advisory, the campaign, which started circulating around Jan. 19, used multiple sender addresses and subject lines, all centered on alleged LastPass maintenance activity. This is a common technique used to bypass email filters and increase the likelihood of reaching inboxes.

The company emphasized that it is not asking users to perform emergency vault backups and reiterated a core security principle: legitimate LastPass communications will never ask for a master password. The emails are crafted to instill a sense of urgency, a hallmark of social engineering, rather than reflect any real critical situation.

Where the links actually lead

The emails include a prominent “create backup” link that looks legitimate at first glance. Clicking it, however, sends victims through a chain of external domains before landing on a phishing page designed to harvest login credentials.

Rather than backing up anything, users who enter their master password risk exposing their entire data trove, including account credentials, payment details and sensitive notes. Such a level of access could immediately be weaponized for identity theft, account takeover or financial fraud.

Timing and repetition could mark a pattern

This is not the first time LastPass users have been targeted in this manner. Only weeks earlier, a phishing wave sought to trick recipients into confirming they were still alive. This recurring pattern could signal sustained interest from attackers.

Notably, the latest messages were sent during a US holiday weekend, a period when internal reporting and response may be slower. LastPass said it is working with partners to take down the malicious infrastructure and has shared indicators of compromise to support defensive efforts and threat hunting.

Protecting yourself from password manager phishing scams

Tools like Bitdefender Scamio can help users quickly assess suspicious emails, links, messages, images or QR codes by analyzing shared content for common scam indicators. In campaigns built on urgency and brand impersonation, that extra moment of verification can prevent irreversible account compromise.

Frequently asked questions (FAQ)

Is LastPass no longer trusted?

That depends on the user, but it is fair to say LastPass has faced a significant trust problem since its 2022 breach disclosures. The controversy centered on stolen customer vault backups and related customer data, which pushed many users and security observers to re-evaluate the service. LastPass, for its part, says it has since made major security changes and continues to position itself as a secure password manager.

Did LastPass warn customers about phishing emails asking them to create backups?

Yes. LastPass explicitly warned customers in January 2026 about an active phishing campaign using fake “backup your vault” messages and stressed that it was not asking users to create backups within 24 hours. The company described the emails as a social engineering attempt designed to generate urgency and steal credentials.

What is the LastPass controversy?

The main LastPass controversy refers to the 2022 security incidents and their aftermath. Attackers first accessed LastPass’s development environment, and later the company disclosed that threat actors had also obtained a backup containing customer vault data and other sensitive information. The fallout was especially serious because even though vault passwords were encrypted, stolen vault copies can still be targeted offline if a user’s master password is weak.