← All posts
Fake emailPhishing lureClone loginCredential harv…Vault stolenMaster password…ResponseVerify sender +…
6 min read

LastPass phishing attack January 2026: What to do if you got the email

LastPass users are being targeted by a sophisticated phishing campaign. Learn how to identify fake 'backup your vault' emails, what to do if you clicked, and how to protect your passwords.

securitylastpassphishingbreach-responsepassword-security

If you use LastPass, check your inbox. A sophisticated phishing campaign that started on January 19, 2026 is targeting LastPass customers with fake "backup your vault" emails designed to steal your master password.

Here's how to identify the fake emails, what to do if you clicked, and how to protect your accounts going forward.

What the phishing emails look like

The fake emails are designed to create urgency. According to Malwarebytes, the scam emails:

  • Claim LastPass is performing "scheduled maintenance"

  • Warn that you'll lose access to your vault if you don't act within 24 hours

  • Ask you to "create a local backup" of your passwords

  • Include a link to a fake LastPass login page

The key red flag: LastPass has confirmed they are NOT asking customers to backup their vaults. Any email claiming otherwise is fraudulent.

How to tell if an email is fake

Check these elements before clicking anything:

Sender address

Real LastPass emails come from @lastpass.com domains. The phishing emails come from lookalike domains or compromised email accounts.

Urgency tactics

Legitimate companies don't threaten account deletion within 24 hours. This artificial urgency is a classic phishing technique designed to make you act before you think.

The link destination

Hover over any link (don't click). Real LastPass links go to lastpass.com. The phishing links redirect to fake sites designed to capture your master password.

Grammar and formatting

While these particular phishing emails are well-crafted, look for subtle inconsistencies in formatting, spacing, or language that differ from typical LastPass communications.

What to do if you received the email

If you didn't click

  1. Delete the email - Don't click any links or download any attachments

  2. Report it - Forward the email to abuse@lastpass.com before deleting

  3. Stay alert - The campaign is ongoing, so you may receive more attempts

If you clicked but didn't enter your password

  1. Close the tab immediately - Don't enter any information

  2. Clear your browser cache - Some phishing sites install tracking cookies

  3. Run a malware scan - Just in case

If you entered your master password

This is a critical situation. Your entire password vault may be compromised.

  1. Change your LastPass master password immediately - Use a completely new, unique password

  2. Enable two-factor authentication if you haven't already

  3. Change passwords for your most critical accounts:

    • Email (this is your recovery method for everything else)
    • Banking and financial accounts
    • Work/business accounts
    • Social media

  4. Check for unauthorized access - Review LastPass's security dashboard for unusual login locations or devices

  5. Consider migrating - After two major breaches and now targeted phishing, many security experts recommend moving to a different password manager

Why LastPass keeps getting targeted

This isn't LastPass's first security crisis. The company suffered a major breach in 2022 that exposed encrypted password vaults for millions of users. That breach has led to:

  • Ongoing cryptocurrency theft - TRM Labs traced $35 million in stolen crypto directly to decrypted LastPass vaults

  • A £1.2 million fine from the UK's ICO - Regulators found LastPass failed to implement adequate security measures

  • Continued targeting - Attackers know LastPass users have valuable credential data

The 2022 breach was caused by an employee's compromised home computer, which allowed attackers to access development systems and eventually steal encrypted vault data. While the vaults were encrypted, weak master passwords have allowed attackers to decrypt them over time.

How to migrate away from LastPass

If you've decided to switch password managers, here's how to export your data:

  1. Log into LastPass via a desktop browser (not the mobile app)

  2. Go to Account SettingsAdvanced Options

  3. Select "Export" under Manage Your Vault

  4. Enter your master password to confirm

  5. Save the CSV file to your computer

  6. Import into your new password manager - Most managers (1Password, Bitwarden, etc.) have a LastPass import option

Important: Your exported CSV file contains all your passwords in plain text. Delete it securely after importing, and never email it or store it in cloud storage.

The bigger problem: Password rotation

Whether you stay with LastPass or migrate, you still face the same challenge: you probably need to change dozens of passwords.

After any breach or phishing incident, security experts recommend changing passwords for:

  • Any account that used a compromised password
  • Any account with password reuse
  • All high-value accounts (email, banking, work)

Doing this manually takes hours. Most people start strong, change 5-10 passwords, and then give up—leaving themselves vulnerable.

Automate your password rotation

This is exactly the problem we built Dosel to solve. Instead of manually logging into 50+ websites and clicking through password change flows, our AI agent does it for you:

  1. Import your passwords from any manager (including LastPass)

  2. Select which accounts to update - prioritize critical accounts first

  3. Let the AI handle it - our browser automation navigates each site and changes passwords automatically

  4. Export your new credentials - import them back into your password manager of choice

The entire process runs locally on your Mac. Your passwords never leave your machine and never touch our servers.

Download Dosel → — 5 free automated password changes per month.

Frequently asked questions

Is LastPass safe to use anymore?

That depends on your risk tolerance. LastPass has suffered multiple security incidents, and the 2022 breach is still causing problems years later. Many security professionals have migrated away. If you stay, ensure you have a strong, unique master password and two-factor authentication enabled.

What password manager should I switch to?

For most users, we recommend Bitwarden (free, open-source, zero-knowledge) or 1Password (premium features, excellent security). Both have proven track records and haven't suffered comparable breaches. See our full comparison guide.

How do I know if my vault was compromised in the 2022 breach?

If you had a LastPass account before December 2022, your encrypted vault data was likely stolen. The risk depends on your master password strength. If it was weak or reused, your vault may have already been decrypted.

Should I change all my passwords?

After a phishing attempt where you entered credentials, yes—at minimum change passwords for critical accounts. If you suspect broader compromise, change everything. This is where automation helps: manually changing 100+ passwords takes hours, but with Dosel, it takes minutes per account.

Stay protected

The LastPass phishing campaign is a reminder that password security requires ongoing vigilance. Whether you stay with LastPass or migrate:

  1. Use a strong, unique master password - at least 16 characters

  2. Enable two-factor authentication everywhere

  3. Don't reuse passwords across accounts

  4. Rotate passwords regularly - especially after breaches

  5. Stay skeptical of urgent emails - legitimate companies don't threaten 24-hour deadlines

If you need to rotate passwords quickly, Dosel can help you update dozens of accounts in a fraction of the time it would take manually.

Download Dosel → — Free for Mac, 5 automated password changes per month.

Protect your passwords with AI-powered automation.

Download Dosel