Full Report
LastPass is warning customers of a phishing campaign sending emails with an access request to the password vault as part of a legacy inheritance process. [...]
Analysis Summary
# Incident Report: CryptoChameleon Phishing Campaign Targeting LastPass Encryption and Passkeys
## Executive Summary
Starting in mid-October 2025, a financially motivated threat group identified as CryptoChameleon (UNC5356) launched an extensive social engineering campaign against LastPass users, leveraging fabricated "legacy inheritance" account access requests. This sophisticated attack utilized phishing sites designed to steal master passwords and targeted modern security features, including passkeys, resulting in potential vault compromises. LastPass issued warnings while the threat actors employed direct phone contact to coerce victims into entering credentials.
## Incident Details
- Discovery Date: Mid-October 2025 (when LastPass began warning customers)
- Incident Date: Activity started in mid-October 2025
- Affected Organization: LastPass and its customers
- Sector: Technology / Password Management
- Geography: Global (as LastPass users are widespread)
## Timeline of Events
### Initial Access
- Date/Time: Mid-October 2025
- Vector: Targeted Phishing Campaign (Social Engineering)
- Details: Victims received emails claiming a family member had initiated an emergency access request to their LastPass vault using a fabricated death certificate. The email prompted users to click a link to "cancel" the request.
### Lateral Movement
- Details: The report focuses primarily on credential theft; specific lateral movement details within compromised networks are not provided. The group is known for targeting cryptocurrency wallets, suggesting the ultimate goal was financial access.
### Data Exfiltration/Impact
- Details: The objective was the theft of LastPass master passwords and potentially passkeys used to access user vaults.
- Impact: Potential compromise of all stored secrets and passkeys within the victim's LastPass vault.
### Detection & Response
- Detection: LastPass became aware of the campaign via customer reports or monitoring and issued public warnings.
- Response Actions: LastPass publicly warned customers about the sophisticated social engineering tactics being employed.
## Attack Methodology
- Initial Access: Phishing emails leveraging the "legacy inheritance" access feature flaw.
- Persistence: Not explicitly detailed, but access was likely maintained via stolen credentials/passkeys.
- Privilege Escalation: Not explicitly detailed, but phone calls posing as LastPass staff were used to coerce victims into confirming actions.
- Defense Evasion: Use of legitimate-sounding pretexts (death certificate, inheritance process) and sophisticated phishing domains.
- Credential Access: Direct entry of master passwords into fraudulent login forms. Attempts were made to target and capture authentication data related to passkeys.
- Discovery: Attackers likely performed reconnaissance to understand LastPass's emergency access schema.
- Lateral Movement: Not detailed, but the attack group (CryptoChameleon) typically focuses on cryptocurrency ecosystem compromise.
- Collection: Gathering of LastPass master passwords and passkey data linked to domains like `mypasskey[.]info` and `passkeysetup[.]com`.
- Exfiltration: Stolen credentials/passkey data were exfiltrated for access to encrypted vaults.
- Impact: Financial theft, potentially via accessing cryptocurrency wallets or other high-value credentials stored in the vault.
## Impact Assessment
- Financial: Linked to the financially motivated group CryptoChameleon, known for cryptocurrency theft (€4.4 Million loss reported in a previous, related incident involving LastPass in 2022).
- Data Breach: Highly sensitive data stored in LastPass vaults (passwords, secure notes, credit card details) and potentially control over associated passkeys.
- Operational: Disruption and security alert fatigue for LastPass users; potential operational downtime for compromised entities accessing vault data.
- Reputational: Further damage to customer trust following previous major breaches at LastPass.
## Indicators of Compromise
- Network indicators:
- Phishing Domain 1: `lastpassrecovery[.]com`
- Phishing Domain 2 (Passkey-focused): `mypasskey[.]info`
- Phishing Domain 3 (Passkey-focused): `passkeysetup[.]com`
- File indicators: N/A (Primarily a credential harvesting/social engineering operation)
- Behavioral indicators: Receiving unexpected emergency access notifications linked to unusual, time-sensitive links; receiving unsolicited phone calls claiming to be LastPass support directing login activity.
## Response Actions
- Containment measures: LastPass issued immediate warnings to customers detailing the fraudulent activity.
- Eradication steps: N/A (Customer-side responsibility to change credentials and secure accounts).
- Recovery actions: Users advised to change master passwords and review emergency access contacts.
## Lessons Learned
- Pretexting based on legitimate, sensitive organizational features (like emergency inheritance) is highly effective against established users.
- Threat actors are rapidly adapting to secure authentication standards, moving from traditional password harvesting to targeting passkey infrastructure.
- The convergence of MFA/passwordless methods and social engineering requires comprehensive user education regarding fallback procedures.
## Recommendations
- Implement multi-factor validation steps beyond email links for high-stakes operations like emergency access revocation.
- Enhance monitoring for newly registered or newly active domains closely mimicking official vendor names/security features (e.g., passkey setup domains).
- Conduct frequent, specific simulations targeting emergency access scenarios to test user vigilance across all account recovery methods (passwords and passkeys).