CryptoChameleon LastPass vault-access phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A CryptoChameleon (UNC5356) phishing campaign is using fake LastPass inheritance requests to trick users into handing over vault credentials and passkeys. The operation began in mid-October and later expanded to passkey-focused lures, increasing the risk of account takeover across password managers and related accounts. Victims are sent to fraudulent pages such as lastpassrecovery[.]com, where attackers collect master passwords, and some lures also impersonate LastPass staff.
Related Happenings
Bitwarden adds passkey login for Windows 11 sign-in
Security Tool/Service
First: 05.03.2026 00:34
Last: 05.03.2026 00:34
Sources 1
About this happening:
**Bitwarden** added **passkey login** for **Windows 11**, expanding passwordless sign-in and reducing phishing exposure for users who store credentials in the vault.
Bitwarden adds passkey login for Windows 11 sign-in
Security Tool/ServiceAbout this happening: **Bitwarden** added **passkey login** for **Windows 11**, expanding passwordless sign-in and reducing phishing exposure for users who store credentials in the vault.
LastPass customer password vault backups exposed
Data Leak
First: 05.01.2026 11:30
Last: 05.01.2026 11:30
Sources 1
About this happening:
The **2022 LastPass data leak** exposed backups of about **30 million customer password vaults**, leaving more than **25 million users** with a **long-tail risk** of offline crack...
LastPass customer password vault backups exposed
Data LeakAbout this happening: The **2022 LastPass data leak** exposed backups of about **30 million customer password vaults**, leaving more than **25 million users** with a **long-tail risk** of offline crack...
Password manager browser add-ons DOM-based extension clickjacking security flaw
Vulnerability
First: 20.08.2025 20:54
Last: 20.08.2025 20:54
Sources 1
About this happening:
**11 password manager browser add-ons** were shown vulnerable to **DOM-based extension clickjacking**, enabling a **single click** on attacker-controlled content to trigger auto-f...
Password manager browser add-ons DOM-based extension clickjacking security flaw
VulnerabilityAbout this happening: **11 password manager browser add-ons** were shown vulnerable to **DOM-based extension clickjacking**, enabling a **single click** on attacker-controlled content to trigger auto-f...
Latest development: 29.08.2025 12:58
Click Studios released Passwordstate 9.9 (Build 9972) on August 28, 2025 to fix a high-severity authentication bypass against the core Passwordstate Products' Emergency Access page and added protections against potential clickjacking attacks in the browser extension, likely in response to DOM-based extension clickjacking findings affecting password manager browser add-ons.
Timeline
-
24.10.2025 17:47 1 articles · 7mo ago
LastPass warns of CryptoChameleon vault-access phishing campaign
Initial DisclosureLastPass warns customers about a phishing campaign linked to CryptoChameleon (UNC5356) that began in mid-October and uses fake legacy inheritance requests to trick LastPass users into entering their master password. The lure claims that a family member requested access to a LastPass vault by uploading a death certificate, redirects victims to lastpassrecovery[.]com, and in some cases includes calls from attackers posing as LastPass staff; the campaign also uses passkey-focused domains such as mypasskey[.]info and passkeysetup[.]com.
Show sources
- Fake LastPass death claims used to breach password vaults — www.bleepingcomputer.com — 24.10.2025 17:47