The news just keeps getting worse for LastPass and its customers. Recently LastPass announced that it was requiring all users to change their Master password to at least 12 characters. This requirement was supposedly in place since 2018, but some undisclosed number of users were never required to increase their Master password to at least 12 characters.
Since the major LastPass breach in November 2022 where hackers stole password vaults for more than 25 million users, a steady trickle of six-figure cryptocurrency heists throughout the tech industry has led some security experts to conclude that hackers have likely succeeded at cracking open some stolen LastPass vaults.
Now comes the news that hackers have launched waves of malicious phishing emails targeting users of LastPass. Last week, LastPass warned users about the threat, saying that the first wave of phishing emails began on September 13th.
The phishing emails look like they’re coming from LastPass and ask the recipient to update their personal information immediately or risk having certain features deactivated. But the emails are fake and come from the domain “email@example.com[.]th,” if you look closely.
Still, the phishing email looks convincing enough to potentially trick some users into clicking a link embedded in the message. Doing so leads to a hacker-controlled login site at “customer-lastpass[.]su” that looks like it can steal any password and multi-factor authentication codes submitted to the portal.
Antivirus provider Malwarebytes initially warned the public about the phishing threat on Sept. 14. LastPass says it also partnered with PhishLabs to disrupt the attacks by requesting that website providers shut down the internet domains powering the phishing campaign.
“Unfortunately, the threat actors materialized again on September 19th when a similar subdomain for the credential phishing site was registered, and several new domains for the phishing emails were leveraged,” LastPass says.
In other words, users should be careful when opening any emails that seem to come from LastPass. Use the SLAM method to spot phishing emails. You can also hover your mouse over the links in the email before clicking them, which will reveal the web address for each one. Emails asking you to submit sensitive information are an immediate red flag that something is off.
Those who want to report a suspicious email can forward it to firstname.lastname@example.org.