Don’t miss out on our latest stories. Add PCMag as a preferred source on Google.
Hackers are now taking advantage of LastPass’s after-death account handover procedures to dupe people into handing over their login details.
The campaign started in mid-October, according to cybersecurity publication Bleeping Computer, and may be linked to cybercrime group CryptoChameleon, which has previously targeted FCC employees.
LastPass, like many of its competitors, offers a feature allowing account holders to designate trusted relatives—for example, a spouse—to request emergency access to their account after they die, preserving access to things like vital work accounts, banking, or social media.
When a post-death access request is opened, the account owner then receives an email. After a waiting period expires, access is automatically granted to the deceased’s trusted contact.
Now, users are receiving fabricated emails informing them of post-death legacy requests to take over their accounts, prompting them to cancel the request. When users click the malicious link in the email, they’re redirected to a fraudulent page on lastpassrecovery[.]com, where they’re asked to enter their master password.
(Credit: LastPass)
LastPass told Bleeping Computer that, in some cases, members of the hacking group called victims while posing as LastPass employees and told them to enter their credentials on the phishing site.
We’ve seen LastPass users become the target of plenty of creative scam attempts over the past few years. Last year, it warned users to be on guard against AI-generated spam calls impersonating their boss and deep-faking their voice. Many of the campaigns have been more classic—for example, earlier this year, a wave of fake GitHub pages appeared for LastPass, with hackers using SEO tactics on Google and Bing to boost the illegitimate pages.
Recommended by Our Editors
LastPass’s own defenses have also been breached in recent years.
In 2022, LastPass lost a copy of customers’ encrypted password data to a hacker, who looted the information by copying a “backup of customer vault data” from an encrypted storage container during the intrusion.
The company said the breach revealed data such as “website usernames and passwords, secure notes, and form-filled data,” as well as unencrypted website URLs.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.
Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Experience
I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.
I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.
Read Full Bio
