- Attackers spoof LastPass and Bitwarden with phishing emails from fake newsletter domains, tricking users into signing fake DocuSign documents.
- Victims are redirected to malicious “compliance” domains flagged by Microsoft Defender and Cloudflare, already taken offline
- Neither password manager was hacked; This is domain spoofing and users are advised to verify sender addresses and domains before clicking on links.
Criminals have been discovered impersonating popular password managers LastPass and Bitwarden online in an attempt to trick users into sharing their login details and thus gaining access to a treasure trove of passwords and other secrets.
LastPass recently issued a warning to its customers, making them aware of the ongoing phishing campaign.
However, the scam now appears to have spread to other password managers, with Bitwarden customers apparently also being targeted.
Passwords are secure
As part of the campaign, LastPass users received emails from the address “[email protected]”.
This address does not belong to LastPass and is in no way affiliated with the password manager. In the message, victims are informed that the company’s security policies have been updated and that they should go to a specific landing page and sign a DocuSign document.
The email comes with a “Review and Access Requirements” button which, if clicked, redirects victims to Last Pass Compliance.[dot]com, yet another domain not affiliated with the password management platform.
BeepComputer claims that this domain has already been flagged as malicious by Microsoft Defender for Office 365 and Cloudflare and is currently offline.
Digging deeper, journalists discovered another campaign, almost identical, but now targeting Bitwarden users. In this case, victims received emails from the addresses “[email protected]” and were redirected to bitwardencompliance.[dot]com. Same methodology, just slightly personalized.
It is important to note that neither LastPass nor Bitwarden were compromised as part of this attack.
Business infrastructure is intact and passwords are secure. This is a typical domain spoofing attack in which scammers purchase a domain similar to the legitimate domain, in the hope that victims will not notice the difference.
As usual, the best solution is to always be skeptical of incoming emails and double-check the domains and email addresses they are being sent from. It’s also a good idea to cross-reference these emails with old messages that have been proven to be authentic, to see if the domains and addresses match.

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




