Multiple LastPass Users Lose Master Passwords to Ultra-Convincing Scam

CryptoChameleon attackers trade quantity for quality, dedicating time and resources to trick even the most diligent user into handing over their high-value credentials.

An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.
Password managers store all of a users passwords — for Instagram, their job, and everything in between — in one place, protected by one master password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor
gains access to the master password
, theyll have keys to every single one of the accounts within.
Enter
CryptoChameleon, a new, hands-on phishing kit
of unparalleled realism.
CryptoChameleon attacks tend not to be so widespread, but theyre successful at a clip largely unseen across the cybercrime world, which is why we typically see this targeting enterprises and other very high-value targets, explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. A password vault is a natural extension, because youre obviously going to be able to monetize that at the end of the day.
Thus far, CryptoChameleon has managed to ensnare at least eight LastPass customers — but likely more — potentially exposing their master passwords.
At first, CryptoChameleon looked like any other phishing kit.
Its operators had been around since late last year. In January, they began by targeting the cryptocurrency exchanges Coinbase and Binance. This initial targeting, plus its highly customizable toolset, earned it its name.
The picture changed in February, though, when they registered the domain fcc-okta[.]com, mimicking the Okta Single Sign On (SSO) page belonging to the USs Federal Communications Commission (FCC). That suddenly made this rise from one of many consumer phishing kits that we see out there, to something thats going to pivot into targeting the enterprise, going after corporate credentials, Richardson recalls.
Richardson confirmed to Dark Reading that FCC employees were impacted, but could not say how many or whether the attacks led to any consequences for the agency. It was a sophisticated attack, he notes, that he expects to have worked even on trained employees.
The problem with CryptoChameleon wasnt just who it was targeting, but how well it did at defeating them. Its trick was thorough, patient, hands-on engagement with victims.
Consider, for example,
the current campaign against LastPass
.
It begins when a customer receives a call from an 888 number. A robo caller informs the customer that their account has been accessed from a new device. It then prompts them to press 1 to allow access, or 2 to block it. After pressing 2, theyre told that theyll be receiving a call shortly from a customer service representative in order to close the ticket.
Then the call comes in. Unbeknownst to the recipient, its from a spoofed number. On the other end of the line is a live person, typically with an American accent. Other CryptoChameleon victims have also reported speaking with British agents.
The agent has professional call center communication skills, and offers genuinely good advice, Richardson recalls from his many conversations with victims. So, for example, they might say: I want you to write down this support phone number for me. And they have victims write down the real support phone number for whoever theyre impersonating. And then they give them a whole lecture: Only call us on this number. I had a victim report that they actually said, For quality and training purposes, this call is being recorded. Theyre using the full call script, everything that you can think of to make someone believe that theyre really talking to this company right now.
This supposed support agent informs the user that theyll be sending an email shortly, allowing the user to reset access to their account. In fact, this is a malicious email containing a shortened URL, directing them to a phishing site.
The helpful support agent watches in real time as the user enters their master password into the copycat site. Then they use it to log into their account, and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.
All the while, Richardson says, They dont realize its a scam — none of the victims I talked to. One person said, I dont think I ever entered my master password in there. [I told them] You spent 23 minutes on the phone with these guys. You probably did.
LastPass shut down the suspicious domain used in the attack — help-lastpass[.]com — shortly after it went live. The attackers have been persistent, though, continuing their activity under a new IP address.
With visibility into the attackers internal systems, Richardson was able to identify at least eight victims. He also offered evidence (which Dark Reading is keeping confidential) indicating that there may have been more than that.
When asked for further information, LastPass senior intelligence analyst Mike Kosak told Dark Reading, We do not disclose details on the number of customers who are impacted by this type of campaign, but we support any customer who may be a victim of this and other scams. We encourage people to report potential phishing scams and other nefarious activity impersonating LastPass to us at [email protected].
Because hands-on CryptoChameleon attackers talk their victims through any potential security barriers like multifactor authentication (MFA), defending against them begins with awareness.
People need to be aware that attackers can spoof phone numbers — that just because an 800 or 888 number calls you, it doesnt mean that its legitimate, Richardson says, adding that just because theres an American on the other end of the line also does not mean that its legitimate.
In fact, he says, Dont answer the phone from unknown callers. I know thats a sad reality of the world that we live in today.
Even with all the awareness and precautionary measures known to business users and consumers, though, a particularly sophisticated social engineering attack might still get through.
One of the CryptoChameleon victims I talked to was a retired IT professional, Richardson recalls. He said, Ive gotten training my whole life to not fall for these kinds of attacks. Somehow I fell for it.
LastPass has asked Dark Reading to remind customers of the following:
Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and/or account information. These are part of an ongoing phishing campaign.
If you do see this activity and are concerned you may have been compromised, contact the company at [email protected].
And finally, LastPass will never ask you for your password.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Multiple LastPass Users Lose Master Passwords to Ultra-Convincing Scam