LastPass has alerted users about a new phishing attack that claims the recipient has died. According to the message, a family member has submitted a death certificate to gain access to the recipient’s password vault. A link in the phishing email, supposedly to stop the request, leads to a fake page that asks for the LastPass user’s master password.
“Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED)
A death certificate was uploaded by a family member to regain access to the Lastpass account
If you have not passed away and you believe this is a mistake, please reply to this email with STOP”
LastPass links this campaign to CryptoChameleon (also known as UNC5356), a group that previously targeted cryptocurrency users and platforms with similar social engineering attacks. The same group used LastPass branding in a phishing kit in April 2024.
The phishing attempt exploits the legitimate inheritance process, which is an emergency access feature in LastPass that allows designated contacts request access to a vault if the account holder dies or becomes incapacitated.
Stealing someone’s password manager credentials gives attackers access to every login stored inside. We recently reported on an attempt to steal 1Password credentials.
Lastpass also notes that:
“Several of the phishing sites are clearly intended to target passkeys, reflecting both the increased interest on the part of cybercriminals in passkeys and the increased adoption on the part of consumers.”
Passkeys are a very secure replacement for passwords. They can’t be cracked, guessed or phished, and let you log in easily without having to type a password every time. Most password managers—like LastPass, 1Password, Dashlane, and Bitwarden—now store and sync passkeys across devices.
Because passkeys often protect high-value assets like banking, crypto wallets, password managers, and company accounts—they’ve become an attractive prize for attackers.
Advice for users
While passkeys themselves cannot be phished via simple credential theft, attackers can trick users into:
- Registering a new passkey on a malicious site or a fake login page
- Approving fraudulent device syncs or account transfers
- Disabling passkeys and reverting to weaker login methods, then stealing those fallback credentials
LastPass and other security experts recommend:
- Never enter your master password on links received via email or text.
- Understand how passkeys work and keep them safe.
- Only logging into your password manager via official apps or bookmarks.
- Be wary of urgent or alarming messages demanding immediate action.
- Remember that legitimate companies won’t ask for sensitive credentials via email or phone.
- Use an up-to-date real-time anti-malware solution preferably with a web protection module.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
