Scams & Phishing News LastPass, Bitwarden users targeted with fake security alerts

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,052
5,623
2,168
Germany
LastPass is warning users about an ongoing phishing campaign that is using fake security notices to direct them to fraudulent websites.

The phishing emails are crafted to resemble legitimate corporate communications, notifying recipients of updated security policies and directing them to a landing page that impersonates DocuSign and claiming to provide a document for review.

LastPass emphasizes that its systems have not been compromised and that the phishing emails did not originate from its infrastructure, despite the attackers using domains designed to appear as legitimate company services.

The emails sent from ‘hello@lastpassnewsletter.com’ notify the user of alleged service policy changes in LastPass, including enhanced SaaS monitoring, master password reset options for administrators, and admin console improvements.
Read more:
 
Read more:
Important phishing warning

This campaign appears designed to exploit trust in familiar security and document-signing brands. The use of a domain such as hello@lastpassnewsletter.com does not prove that the message came from LastPass; attackers can use lookalike domains, compromised mailboxes, or sender spoofing.

Recipients should:

  • Avoid clicking links or opening attachments in the message.
  • Access LastPass, Bitwarden, or DocuSign by entering the known official address manually or using a trusted bookmark.
  • Check the complete link destination before visiting it. A page displaying a legitimate logo is not proof of authenticity.
  • Report and delete the message after preserving it as evidence if required.
  • If credentials were entered, immediately change the affected password from the genuine service website, revoke active sessions, review account activity, and enable or reset multifactor authentication where appropriate.
  • If a master password or other sensitive information was submitted, treat the account as potentially compromised and review other accounts that may have reused that password.

A legitimate provider’s systems not being compromised does not make the campaign harmless; the main risk is users voluntarily submitting credentials to an attacker-controlled website. The safest approach is to avoid email links for security or account-policy notices and verify them through the provider’s official website or support channels.