Hackers are targeting LastPass users with a new phishing scam that pretends to be about account recovery after death. The emails tell users that someone has made a “legacy request” to take over their LastPass account.

If the user clicks the link in the email, they are taken to a fake website designed to steal their login details. The website looks like a real LastPass page but is hosted on a malicious domain called lastpassrecovery[.]com. Victims who enter their master password unknowingly hand it over to hackers.

According to reports, this phishing campaign began in mid-October 2025 and may be linked to the CryptoChameleon cybercrime group, which has previously targeted US government employees.

LastPass offers a legitimate “legacy access” feature that allows trusted family members or partners to request access to an account after the owner’s death. The real process includes a waiting period and secure verification steps. However, scammers are now exploiting this feature to trick users into revealing their passwords.

LastPass confirmed that in some cases, hackers even called victims, pretending to be company representatives. They also urged them to enter their credentials on the phishing website.

This is not the first time LastPass users have faced such attacks. In the past, scammers used fake GitHub pages and AI-generated phone calls to impersonate company staff.

Experts advise users to avoid clicking links in suspicious emails and always verify the sender’s address. They also recommend accessing LastPass directly through the official website or app, not through links in messages.

LastPass stated it continues to monitor the situation and urged users to stay alert against phishing attempts that exploit trust and fear.