New phishing campaign hits LastPass, Bitwarden users – password manager customers warned not to fall for this scam

new-phishing-campaign-hits-lastpass,-bitwarden-users-–-password-manager-customers-warned-not-to-fall-for-this-scam
New phishing campaign hits LastPass, Bitwarden users – password manager customers warned not to fall for this scam
Fraude en ligne phishing
Image Credit: Shutterstock (Image credit: wk1003mike / Shutterstock)

  • Attackers are spoofing LastPass and Bitwarden with phishing emails from fake newsletter domains, tricking users into signing bogus DocuSign documents
  • Victims are redirected to malicious “compliance” domains flagged by Microsoft Defender and Cloudflare, already taken offline
  • Neither password manager was breached; this is domain spoofing, and users are urged to verify sender addresses and domains before clicking links

Criminals have been found impersonating popular password managers LastPass and Bitwarden online in an attempt to trick users into sharing their login credentials, and thus access to a treasure trove of passwords and other secrets.

LastPass recently issued a warning to its customers, raising awareness of the ongoing phishing campaign.

However the scam also now seems to have spread to other password managers, with Bitwarden customers also apparently being targeted.

Passwords are safe

In the campaign, LastPass users received emails from the address “hello@lastpassnewsletter.com”.

This address does not belong to LastPass, and is in no way affiliated with the password manager. In the message, the victims are told that the company’s security policies have been updated, and that they should navigate to a specific landing page and sign a DocuSign document.

The email comes with a ‘Review & Access Terms’ button which, if clicked, redirects the victims to lastpasscompliance[dot]com, yet another domain unaffiliated with the password management platform.

BleepingComputer claims this domain has already been flagged as malicious by both Microsoft Defender for Office 365, and Cloudflare and is currently offline.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Digging deeper, the journalists uncovered another campaign, almost identical, but now targeting Bitwarden users. In this case, the victims were being mailed from the “hello@bitwardennewsletter.com” addresses and were being redirected to bitwardencompliance[dot]com. Identical methodology, just slightly personalized.

It is important to note that neither LastPass nor Bitwarden were compromised as part of this attack.

The companies’ infrastructure is intact, and the passwords are safe. This is a typical domain spoofing attack in which the crooks purchase a domain similar to the legitimate one, in hopes that the victims won’t spot the difference.

As usual, the best course of action is to always be skeptical of incoming emails, and to double-check the domains and email addresses from which they are sent. It is also good to cross-reference these emails with any older messages that are proven to be authentic, to see if the domains and addresses match.


Best antivirus software header

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.


Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Leave a Reply

Your email address will not be published. Required fields are marked *