LastPass data breach scam
Categories

Fake LastPass Email Scam Installs Remote Access Malware

Hackers are targeting password manager users with a convincing LastPass phishing email campaign that also impersonates Bitwarden. These fraudulent breach alerts trick victims into downloading a fake update that installs remote monitoring and access tools. Instead of improving security, the malware gives criminals full control of compromised computers.

How the Scam Emails Work

The phishing emails are designed to look like official security notifications. They claim older .exe builds of the password managers are vulnerable and instruct users to replace them with a hardened MSI installer. The supplied download, however, installs Syncro, a remote monitoring and management (RMM) platform, which is then used to deploy ScreenConnect. While both are legitimate IT tools, here they are abused to secretly grant attackers remote access.

Fake LastPass Security Alert

One version of the campaign impersonates LastPass, warning users about a high-severity flaw in older desktop clients. The message claims cached vault data may have been exposed and pressures recipients to download an “improved” version of the app. Instead, the link installs malware.

Subject: We Have Been Hacked – Update Your LastPass Desktop App to Maintain Vault Security
From: LastPass <hello@lastpassjournal.blog>

We’re introducing the new and improved LastPass Desktop App, rebuilt from the ground up to deliver stronger protection, better performance, and complete peace of mind. This update is our most secure release yet, designed to restore full cryptographic integrity after a recently identified vulnerability in older desktop versions.

In recent weeks, our team contained a high-severity security incident affecting legacy components of the LastPass desktop client. Attackers exploited weaknesses in older .exe installations, which could, under certain conditions, allow unauthorized access to cached vault data. Thanks to our Zero-Knowledge Encryption Framework, your passwords and private information were never exposed in plaintext — but out of caution, we’ve rebuilt the app to remove this risk entirely.

The new MSI-based LastPass Desktop App replaces the outdated .exe format with a hardened, digitally signed installer. This change guarantees safer installation, verified publisher integrity, and automatic protection against tampering. We’ve also added enhanced encryption containers and memory isolation, so your vault stays locked down under every scenario.

Updating is simple, Download the Updated App At: https://lastpassdesktop[.]com/

Install the new version, and sign in with your master password. The app will securely migrate and re-encrypt your vault, ensuring your passwords, payment data, and secure notes remain fully protected. You’ll notice the same familiar design — just stronger, faster, and more resilient.

If you believe you may have been affected by this incident, please use the support widget on our download page to report the issue directly to our security team. For all other questions or feedback, our live support chat on the same page is always available to assist you. Your input and experience play a vital role in helping us continue to build the most secure and reliable password management platform for protecting your digital assets.

Stay safe,
LastPass Security Response Team

LastPass has confirmed that these messages are fake. The company stated it has not been hacked and that the emails are a social engineering attempt designed to cause panic and convince recipients to install malware.

Fake Bitwarden Security Alert

The attackers are also impersonating Bitwarden with nearly identical wording. The fake email warns of a vulnerability in legacy Bitwarden clients and urges users to install a “secure” update. The file provided once again installs Syncro and ScreenConnect for unauthorized remote access.

Subject: We Have Been Hacked – Immediate Desktop App Update Required to Secure Your Vault
From: Bitwarden <hello@bitwardenbroadcast.blog>

Dear Bitwarden Users,

Today we’re announcing an urgent security update for the Bitwarden Desktop App. Our security team identified and contained a high-severity vulnerability affecting legacy desktop builds. While Bitwarden’s end-to-end, zero-knowledge encryption protected the contents of your vault, outdated desktop clients introduced a risk to local cache handling and synchronization integrity.

What happened:

A flaw in older desktop client components created a potential pathway for credential-targeting and cache exposure under specific conditions.

No plaintext passwords or notes were exposed thanks to our encryption model.

We have issued a critical, signed update that hardens the app with reinforced integrity verification, memory isolation, and stricter sandboxing.

What you need to do now

Download and install the latest Bitwarden Desktop App here:
[https://]bitwardendesktop[.]com/

Sign in with your master password and complete a fresh vault sync.

(Recommended) Clear the old app cache after upgrading.

Open Vault Health Report to verify item integrity.

What’s changed under the hood:
– Digitally signed installers and tamper-resistant build pipeline
– Hardened synchronization stack and enhanced key-derivation defaults
– Expanded integrity checks on startup and during updates

Should you have any concerns that your account was affected, our Security Response Team is available via the support widget on the download page and ready to assist you right away.

For general inquiries or to share feedback, you can always use the live chat on that same page.

Your confidence and partnership are what drive us to keep building a safer, more dependable way to protect your digital life.

Stay safe,
Bitwarden Security Response Team

The fake Bitwarden emails have been tied to domains like bitwardenbroadcast[.]blog. Their structure and tone mirror the LastPass phishing campaign, strongly suggesting both came from the same operators.

What the Malware Does

The payload delivered by the LastPass phishing email is not a virus in the traditional sense. Instead, it abuses legitimate IT software. The Syncro agent that gets installed is a real remote monitoring and management (RMM) tool commonly used by managed service providers. In normal environments, Syncro helps IT staff troubleshoot and maintain systems. In this campaign, it has been stripped of features and configured only to silently deploy ScreenConnect.

ScreenConnect is another legitimate tool that provides remote desktop access. By deploying it in this way, attackers gain full control of the victim’s machine without the user realizing it. Researchers found that the configuration files for Syncro force the agent to check in with attacker-controlled servers every 90 seconds. Built-in integrations like Splashtop or TeamViewer are disabled, as are protections from antivirus software such as Emsisoft, Webroot, and Bitdefender. This means the malware is optimized to remain hidden while keeping the attacker’s foothold stable.

Once ScreenConnect is active, criminals can connect at any time, install additional malware, exfiltrate files, capture keystrokes, and even access password vaults if they are open. In short, the victim’s device is no longer under their sole control.

How to Protect Yourself

The best protection against scams like this is caution. Never download or install software from a link in an email, even if the message looks authentic. Real updates for LastPass or Bitwarden are distributed only through their official websites or app stores. Check announcements on the company blog or status page if you are unsure about a security alert.

If you already clicked the link or installed the file, assume your computer has been compromised. The fastest and most effective way to remove the threat is to scan your device with a dedicated anti-malware tool. We recommend Malwarebytes, which is specifically built to detect and remove hidden remote access tools and malware threats that traditional antivirus may miss. Malwarebytes can also repair settings that have been tampered with by the attacker to ensure your defenses stay active.

Remove the LastPass Phishing Malware with Malwarebytes

Follow these steps to completely scan and clean your system:

  1. Download Malwarebytes and save the installer to your computer.
  2. Run the installer (MBSetup.exe) and follow the prompts to finish setup. You may also be offered to add Malwarebytes Browser Guard, which blocks malicious sites in real time. Enabling this adds extra protection against phishing attacks.
  3. Open Malwarebytes and click Get Started. If you are new, you will begin with a 14 day trial of Premium features. After that, it reverts to the free version, which still allows full scans and malware removal.
  4. From the dashboard, click Scan. Malwarebytes will check memory, startup programs, the Windows registry, and your full file system for active threats.
  5. When the scan finishes, review the results and click Quarantine to remove all detected malware. Restart your computer if prompted.
  6. After reboot, run a second scan to confirm that Syncro, ScreenConnect, or any related components have been fully removed.

Once your system is clean, change your LastPass master password from a different device, revoke active sessions from your account, and rotate credentials for sensitive accounts such as email and banking. This ensures any stolen data cannot be used against you. For long term protection, keep Malwarebytes Premium running to block scams, ransomware, and hidden backdoors before they can do damage.

Key Takeaways

This phishing campaign abuses the names of LastPass and Bitwarden but does not represent a real breach of those companies. The attackers are relying on panic and urgency to trick users into installing malware. With the fake update in place, criminals can hijack your system, disable your defenses, and steal your data.

  • The emails come from suspicious domains such as @lastpassjournal[.]blog and @bitwardenbroadcast[.]blog, not from legitimate company domains.
  • The so-called update installs Syncro and ScreenConnect, giving attackers remote access to your computer.
  • Neither LastPass nor Bitwarden have been hacked. The campaign is purely social engineering.
  • The only safe way to update LastPass is through the official website or verified app stores.
  • If you clicked, the fastest way to clean your device is by scanning with Malwarebytes and changing your credentials from a clean device.

Phishing attacks work because they prey on fear. By taking time to verify alerts and by protecting your system with Malwarebytes, you can prevent these scams from succeeding and keep your accounts secure.

Written by

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

More Reading

Post navigation

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.