Cybercriminals Pose as LastPass Staff to Hack Password Vaults

LastPass has disclosed details of a campaign targeting its customers using the CryptoChameleon phishing kit. CryptoChameleon is a phishing-as-a-service that enables threat actors to easily generate fake SSO or other login sites impersonating the legitimate sites of companies to steal credentials and other information that can be used for authentication. This phishing kit was discovered earlier this year targeting mainly cryptocurrency platforms like Binance, Coinbase, Kraken, etc. However, according to researchers at Lookout who uncovered the latest campaign and reported it to LastPass, developers behind CryptoChamelon have added support for LastPass, enabling actors to spin up fake sites to steal credentials from LastPass users.

Security Officer Comments:
Fake domains impersonating LastPass have already been set up with the help of CryptoChameleon. LastPass says it identified the following domain (help-lastpass[.]com) which was being used in a vishing campaign against its customers. The actors’ modus operandi includes:
  1. Victims receive a call from an 888 number claiming unauthorized access to their LastPass account and are prompted to allow or block the access by pressing "1" or "2".
  2. If they choose to block the access, they're told they will get a follow-up call to resolve the issue.
  3. A second call comes from a spoofed number, where the caller, posing as a LastPass employee, sends a phishing email from "support@lastpass" with a link to the fake LastPass site.
  4. Entering the master password on this site allows the attacker to change account settings and lock out the legitimate user.
Suggested Corrections:
Although LastPass says it was able to take the malicious website down, similar domains are likely to be set up by actors. As a precaution, customers have been advised to be on the lookout for suspicious calls, text messages, and emails pretending to be from LastPass:
  • If you receive a suspicious phone call claiming to be from LastPass, simply hang up and please send us an email with the details of the call to
  • If you receive a suspicious text claiming to be from LastPass, please send a screen capture of the text to
  • If you receive an email you believe may be related to phishing, please forward the email as an attachment to