LastPass and Bitwarden Users Targeted by Phishing Campaign Using Fake Security Alerts
A phishing campaign is impersonating LastPass and Bitwarden, sending fake security alerts to trick users into visiting malicious websites designed to steal credentials.

Password manager users are increasingly becoming targets for sophisticated phishing operations, with a recent campaign specifically aiming to compromise LastPass and Bitwarden accounts. Attackers are distributing fraudulent emails that mimic legitimate corporate communications, notifying recipients of alleged security policy updates and urging them to review documents.
These deceptive emails, sent from domains like 'hello@lastpassnewsletter.com' and 'hello@bitwardennewsletter.com', claim to inform users about changes to service policies, including enhanced monitoring and master password reset options. The attackers leverage social engineering tactics by creating a sense of urgency and importance around these fabricated updates.
The core of the attack lies in the malicious links embedded within these emails. When users click on buttons such as ‘Review & Access Terms,’ they are redirected to websites that meticulously impersonate legitimate services like DocuSign. However, these fake landing pages, such as lastpasscompliance[.]com and bitwardencompliance[.]com, are designed to capture user credentials or prompt them to download potentially malicious files.
LastPass has been proactive in warning its user base about this campaign, emphasizing that its own systems have not been breached and that the phishing emails do not originate from their infrastructure. The attackers' use of domains that closely resemble legitimate company services highlights the evolving sophistication of phishing operations.
While the exact objective of the fake DocuSign impersonation page remains unclear, it reportedly prompts users to download files for both Windows and macOS. The presence of a live chat support feature on the malicious site, though its functionality is unconfirmed, adds another layer of deceptive realism to the attack.
This is not the first time LastPass users have been targeted with similar tactics. In March, the company alerted users to fake unauthorized account access alerts, and earlier in January, fake alerts claimed users needed to back up their vaults due to upcoming maintenance. These recurring attacks underscore the persistent threat landscape for password manager users.
LastPass advises its users to remain vigilant and report any suspicious communications to abuse@lastpass.com. The company reiterates that it will never ask for a user's master password. For users who may have inadvertently entered their credentials on a phishing site, immediate action is recommended: change master passwords from a trusted device and thoroughly review vaults for any unauthorized activity.
Security experts urge all users of password managers and other sensitive online services to exercise extreme caution with unsolicited emails, verify sender addresses, and avoid clicking on suspicious links or downloading unexpected attachments. Multi-factor authentication, where available, remains a critical layer of defense against account takeover attempts.