LastPass, a popular password manager, has been hit by a massive phishing scam where hackers have been tricking users into sharing their passwords by impersonating LastPass employees.

The new phishing campaign was first identified by cybersecurity firm Lookout which found that hackers were using the CryptoChameleon phishing kit in their latest attack.

This phishing kit is quite popular amongst cyber criminals and has already been used in a few crypto attacks. A joint international cooperation recently nabbed LabHost – a platform that sold similar kits to cyber criminals.

One of LabHost’s main services was to help hackers create a fake website that looked just like the legitimate one so that users could be tricked into entering their login credentials. That’s exactly what happened in this scenario with LastPass.

As LastPass mentioned in its official blog, it found a parked domain (help-lastpass[.]com) and immediately started monitoring it in case the site went live. As it happened, the site did go live and started attacking LastPass users. The company then immediately worked with its vendors and took it down.

Important Note: We at TechReport value our readers’ privacy, which is why we’ve removed LastPass from our list of the We at TechReport value our readers’ privacy, which is why we’ve removed LastPass from our list of the best password managers , at least from the time being until the company makes amendments.

How the Attackers Affected LastPass Users?

The majority of LastPass customers who were affected by this attack were hit by a scam call. This is how it all went down:

They got a call from an "888" number that informed them that their LastPass account had been accessed from a different device. They could press "1" to allow access or "2" to block it.

In case the user chose "2" which was usually the case, they would receive a call from someone (typically with an American accent) in order to proceed. The caller posed as a customer representative from LastPass.

The second caller then sends them an email saying they can use it to reset their account access. This email directed them to the "help-lastpass[.]com" fake site where the victim was tricked into sharing their master password.

Once the master password is shared, the hacker changes all of the settings, takes control of the account, and locks out the original account owner.

What Is LastPass Doing to Handle the Issue?

As mentioned, LastPass has already taken down the fake website. However, since the initial phishing kit still retains the LastPass branding, the password manager has asked to report all calls, emails, and texts that come in its name to [email protected].

The company also clarified that no LastPass employee will ever ask users for their master password. So, if you get a call from someone requesting your master password, immediately report it to the above-mentioned email address.

As an extra layer of protection:

Always be cautious of shady emails and calls

Don't click on unknown links

Don't download files from unknown users

Don't share confidential details with random callers

Turning on two-factor authentication will also help

Apart from that, LastPass has pledged to continue working until it can restore a safe environment for its users.

Second Attack on LastPass This Month

In a separate attack earlier this month, an employee from LastPass received a series of texts, calls, and a voicemail featuring a deepfake of LastPass CEO’s voice.

Posing as CEO Karim Toubba, the hackers tried to reach the employee on WhatsApp. However, it’s not the usual communication channel for the company. Plus, there were a few other signs, such as fake urgency, that made the employee suspicious.

So, the employee ignored those texts and reported the incident to the company’s internal security team who then took care of the issue.

Following this, LastPass shared the details of this incident, along with some other examples to raise awareness about the use of deepfake in scams.