Don’t click on the LastPass ‘create backup’ link – it’s a scam
Summary
LastPass has warned customers about a phishing campaign that began around 19 January 2026 which urges users to ‘create backup’ of their vaults within 24 hours ahead of supposed maintenance. The emails attempt to create urgency and redirect victims to malicious domains that try to capture master passwords rather than perform any backup.
LastPass emphasises it will never ask for your master password and is working with partners to take down the malicious domains. The company published a security advisory listing malicious URLs, IP addresses, sender addresses and subject lines to aid detection and response.
Key Points
- Attackers are sending fake LastPass maintenance emails asking users to ‘create backup’ within 24 hours.
- Clicking the link first redirects to a malicious S3-hosted path and then to mail-lastpass[.]com, which is a phishing site designed to harvest master passwords.
- LastPass explicitly states it will never request your master password via email.
- The campaign started around 19 January and used holiday timing (US Martin Luther King Jr. weekend) to delay detection.
- LastPass published an advisory with malicious URLs, IP addresses and sender details to help organisations and defenders hunt and block the campaign.
Why should I read this?
Because if you use LastPass (or any password manager), this is the kind of scam that can hand attackers the keys to everything. In short: don’t freak out, don’t click the link, and don’t paste your master password into any page that turned up from an email. Read the details so you know what the phish looks like and how to spot it.
Context and Relevance
Password managers are high-value targets — one stolen master password can expose logins, cards and secure notes. This campaign is part of a broader trend of more-sophisticated phishing (including AI-assisted scams) and opportunistic timing to reduce early reporting.
Organisations should add the listed malicious URLs and IPs to blocklists, remind users that LastPass will never ask for master passwords, and encourage verification via official channels. Enabling strong account protections (unique master passwords, hardware MFA where supported) reduces risk if a credential is phished.