Ethical Hacking News
Users of password management tools LastPass, Bitwarden, and 1Password are advised to be cautious after receiving fake breach alerts. The malicious campaign has resulted in PC hijacks, highlighting the importance of verifying security alerts through official channels.
Phishing campaign targets users of LastPass and Bitwarden, claiming vault breaches to trick them into downloading Syncro. The attackers use fake emails with a similar tone and style to those sent by the password managers themselves. Users may be vulnerable to PC hijacks and data theft if they click on the malicious link. LastPass confirms it has not been hacked, but is a victim of a phishing attempt to create urgency. Users should ignore such alerts and log in to the provider's official website to check for security alerts. Companies will never ask for master passwords; attackers use this tactic to compromise user accounts. Cybersecurity awareness is crucial in protecting oneself from phishing attacks like this one.
In recent days, a sophisticated phishing campaign has been targeting users of two prominent password managers, LastPass and Bitwarden. The attackers have crafted emails that appear to be from the companies themselves, claiming that their vaults have been compromised in a breach. These fake alerts are designed to trick victims into downloading a supposedly more secure desktop version of the password manager, which ultimately installs Syncro, a remote monitoring and management (RMM) tool used by managed service providers (MSPs). The malicious campaign has left many users vulnerable to PC hijacks, highlighting the importance of being cautious when receiving unsolicited security alerts.
The phishing emails are well-crafted and use a similar writing style and tone to those sent by LastPass and Bitwarden themselves. They urge recipients to download an improved desktop application that is supposedly designed to enhance their password management experience. However, once the malicious link is clicked, it installs Syncro, which deploys the ScreenConnect remote support and access software. This allows the threat actors to remotely connect to a target's computer and deploy further malware payloads, steal data, and potentially access the password vaults of users through saved credentials.
According to LastPass, the company in question has NOT been hacked, and this is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient. The company notes that the campaign started over the weekend, presumably to take advantage of the reduced staffing over the Columbus Day holiday weekend and delay detection.
Researchers at cybersecurity company Malwarebytes say that users clicking on an embedded button were taken to a phishing page (onepass-word[.]com) via a Mandrillapp redirection. The attacks targeting 1Password were first reported by Brett Christensen (Hoax-Slayer) on September 25.
It is essential for users of password management tools to ignore such alerts and always login to the provider’s official website to check for any security alerts pending review. Important security incidents like those claimed in the emails are also broadly communicated across the companies’ blogs and via press releases, so double-checking on official channels is always a good practice.
Companies will never ask for the master password to your vaults.
Users of password management tools should be aware of this tactic used by attackers to compromise user accounts.
The malicious campaign highlights the importance of staying informed about potential threats and being cautious when receiving unsolicited security alerts.
This situation serves as a reminder that cybersecurity awareness is crucial in protecting oneself from such phishing attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Fake-Breach-Alerts-Compromise-Password-Managers-A-Cautionary-Tale-ehn.shtml
https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-breach-alerts-lead-to-pc-hijacks/
Published: Wed Oct 15 22:38:17 2025 by llama3.2 3B Q4_K_M
