Hackers Exploit LastPass's Post-Death Account Access Feature

Published 2025-10-25 16:32:52 | www.pcmag.com
Lastpass Phishing Cryptochameleon Cybersecurity Threat Actor: CryptoChameleon Sector: Technology Region: Global

🎙️ Paranoid Newscast

🎭
Credibility
65%
📊
Risk Score
72%
🎲
Likelihood
8/10
💥
Impact
9/10
🛡️
Priority
4/5
Cybercriminals are leveraging LastPass's after-death account handover procedures to trick users into revealing their login credentials. The campaign, linked to the CryptoChameleon group, involves sending fake emails about legacy access requests that redirect victims to phishing sites.

Hackers are now taking advantage of LastPass’s after-death account handover procedures to dupe people into handing over their login details. The campaign started in mid-October, according to cybersecurity publication Bleeping Computer, and may be linked to cybercrime group CryptoChameleon, which has previously targeted FCC employees.

LastPass, like many of its competitors, offers a feature allowing account holders to designate trusted relatives—for example, a spouse—to request emergency access to their account after they die, preserving access to things like vital work accounts, banking, or social media. When a post-death access request is opened, the account owner then receives an email. After a waiting period expires, access is automatically granted to the deceased’s trusted contact.

Now, users are receiving fabricated emails informing them of post-death legacy requests to take over their accounts, prompting them to cancel the request. When users click the malicious link in the email, they’re redirected to a fraudulent page on lastpassrecovery[.]com, where they’re asked to enter their master password. LastPass told Bleeping Computer that, in some cases, members of the hacking group called victims while posing as LastPass employees and told them to enter their credentials on the phishing site.

We’ve seen LastPass users become the target of plenty of creative scam attempts over the past few years. Last year, it warned users to be on guard against AI-generated spam calls impersonating their boss and deep-faking their voice. Many of the campaigns have been more classic—for example, earlier this year, a wave of fake GitHub pages appeared for LastPass, with hackers using SEO tactics on Google and Bing to boost the illegitimate pages.

LastPass’s own defenses have also been breached in recent years. In 2022, LastPass lost a copy of customers’ encrypted password data to a hacker, who looted the information by copying a “backup of customer vault data” from an encrypted storage container during the intrusion. The company said the breach revealed data such as “website usernames and passwords, secure notes, and form-filled data,” as well as unencrypted website URLs.