嗯,用户让我总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我得通读一下文章,了解主要信息。 文章讲的是LastPass警告用户有一个钓鱼活动,骗子冒充LastPass来获取用户的主密码。这个活动开始于2026年1月19日左右。骗子通过发送邮件,声称有紧急维护,让用户在24小时内备份密码库。邮件的主题涉及基础设施更新、密码库安全和错过截止日期等。 链接会引导到一个亚马逊S3托管的钓鱼页面,然后重定向到一个假的LastPass网站。攻击者选择在美国的周末假期发动攻击,以利用人员减少和延迟检测。 LastPass提醒用户他们永远不会要求主密码,并建议用户提高警惕,报告可疑邮件,并提供了指示器来识别威胁。 所以,总结的时候需要涵盖:钓鱼活动、冒充LastPass、获取主密码、邮件内容、链接到钓鱼网站、攻击时间选择以及LastPass的建议。 接下来,我需要把这些信息浓缩成大约100字以内的内容。确保不遗漏关键点:冒充身份、目的(获取主密码)、手段(邮件和钓鱼网站)、攻击时间策略以及LastPass的警告。 可能的结构是:开头说明事件,接着描述手段和目的,然后提到攻击的时间选择,最后LastPass的建议。 检查一下有没有超过字数限制,并确保语言简洁明了。 </think> LastPass警告用户遭遇钓鱼攻击,骗子冒充服务发送紧急维护邮件,诱导用户备份密码库并泄露主密码。链接指向假网站,攻击者利用假期延缓检测。LastPass提醒用户切勿透露主密码,并提供应对措施。 2026-1-21 11:0:52 Author: securityaffairs.com(查看原文) 阅读量:2 收藏
Crooks impersonate LastPass in campaign to harvest master passwords
Password manager LastPass warns of an active phishing campaign impersonating the service to steal users’ master passwords.
LastPass warned users about an active phishing campaign that began around January 19, 2026. Attackers impersonate the service with emails claiming urgent maintenance and urge users to back up their password vaults within 24 hours.
The messages use subject lines referencing infrastructure updates, vault security, and missed deadlines to trick victims into revealing their master passwords.
“LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team would like to alert our customers to an active phishing campaign that began on or around January 19, 2026.” reads the alert. “These phishing emails are being sent from several email addresses with various subject lines claiming that LastPass is about to conduct maintenance and urging users to backup their vaults in the next 24 hours. The known list of email addresses and subject lines can be found below.”
The campaign uses phishing emails with links claiming to help users back up their LastPass vaults. The links lead to an Amazon S3–hosted phishing page (“group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf”) that redirects to a fake LastPass site (“mail-lastpass[.]com). Attackers launched the campaign over a US holiday weekend to exploit reduced staffing and delay detection and response.
LastPass warns users it will never ask for master passwords and urges caution over phishing emails. The company is working to take down the malicious domain, asks users to report suspicious messages to [email protected], and shared indicators of compromise, including fake domains, IP addresses, sender details, and phishing email subject lines.
“The timing of the campaign, which fell over a holiday weekend in the United States, is a common tactic among threat actors seeking to take advantage of reduced staffing under the assumption it will postpone detection and draw out response time.” concludes the report.
In December 2025, the blockchain intelligence firm TRM Labs warned that encrypted vault backups stolen in the 2022 LastPass breach are still being cracked using weak master passwords, enabling crypto theft as late as 2025.
Earlier December, the U.K. ICO fined the password manager £1.2m ($1.6m ) for inadequate security measures that failed to prevent the breach.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LastPass)
如有侵权请联系:admin#unsafe.sh