Criminals Exploit LastPass’s Emergency Access Feature With Morbid Phishing Scheme

October 27, 2025

 

Lastpass

Cybercriminals have found a new way to weaponize trust — and even death — to steal access to encrypted password vaults.

In mid-October, LastPass began alerting customers to a wave of highly targeted phishing attacks that mimic the company’s legacy or emergency access workflow. The attackers falsely claim a family member has submitted a death certificate, triggering a request to unlock the victim’s vault.

The campaign is being linked to CryptoChameleon (UNC5356) — a financially motivated threat actor long known for cryptocurrency phishing kits impersonating Okta, Coinbase, Gmail, Apple, and Microsoft login portals.

A More Advanced Repeat Offender

CryptoChameleon previously went after LastPass users in April 2024. This time the attackers have leveled up:

✅ More convincing pretexts with fabricated “agent IDs”
✅ Real-time support scams via phone calls impersonating LastPass staff
✅ New focus on passkey theft — not just passwords

The phishing emails encourage users to “cancel the inheritance request if you are not deceased.” Clicking the link sends victims to lastpassrecovery[.]com, a convincing look-alike site where they are pressured to enter their master password. Recent lookups also reveal infrastructure tied to domains like:

  • mypasskey[.]info

  • passkeysetup[.]com

These indicate that attackers are now actively attempting to intercept FIDO2/WebAuthn passkeys, which many password managers increasingly support.

Why This Social Engineering Trick Works

LastPass’s legitimate inheritance process allows selected contacts to unlock a vault following:

  1. A request notification

  2. A delay period

  3. Automatic access if the original user does not deny the request

Criminals are abusing this real workflow to add credibility. When people see something mapped to a genuine LastPass feature — especially something as emotional as a death notice — urgency and fear override caution.

The Bigger Picture: Passkeys Are the New Prize

As major password managers sync passkeys across devices, attackers now see them as high-value targets. Passkeys remove most credential-theft opportunities — unless criminals trick users into giving them up.

This shift underscores a troubling reality:

When technical defenses improve, social engineering becomes the path of least resistance.

How to Protect Yourself

  • Never click login links from email notifications — navigate directly to the service

  • Enable biometric confirmation for vault access where possible

  • Treat unexpected “emergency access” notifications as high-risk alerts

  • Report suspicious messages to LastPass Security

If you receive a call claiming to be LastPass support — hang up and contact the company through verified channels.

CryptoChameleon’s fake death notices are a stark reminder that attackers continue to innovate socially engineered intrusion methods. The target isn’t just your password — it’s the system that protects every other one you use.

As passkeys rise, expect phishing to evolve right along with them.

Tags
Perry Toone

Posted by Perry Toone

Perry, the founder of Thexyz and Curious Penguins, is an open water swimmer and an open-source software enthusiast. He develops privacy-respecting software, fuelled by a passion for digital privacy and high security standards.

Post a Comment

0 Comments