New Social Engineering Threat Emerges

A sophisticated social engineering tactic has been identified targeting the LastPass password manager. Threat actors are attempting to gain unauthorized access to user accounts by falsely claiming the account holder is deceased. This method seeks to exploit the platform’s Emergency Access feature, a legitimate tool designed to help trusted contacts access a vault in case of the owner’s death or incapacitation.

The attack vector was brought to public attention by a security researcher known as “ciao” on X (formerly Twitter). The researcher discovered threat actors on a dark web forum discussing the strategy. The method involves directly emailing LastPass support, posing as a relative of the targeted user, and providing a forged death certificate to initiate the emergency access protocol.

LastPass Response and Security Measures

In response to the public disclosure, LastPass confirmed its awareness of the tactic. The company reported a single incident where a threat actor attempted to use this method to breach an account. According to LastPass, the attempt was unsuccessful due to the company’s security protocols, which prevented any unauthorized access to the user’s vault.

LastPass clarified that its verification process for Emergency Access requests is rigorous and involves more than just the submission of a death certificate. The company emphasized that its multi-layered verification procedures are specifically designed to thwart such fraudulent social engineering attempts. This event highlights the ongoing efforts by malicious actors to find and exploit human-centric processes within security systems to bypass technical controls and compromise sensitive data.