Jul 15, 2026 · 6 min read
Fake LastPass, Bitwarden Alerts Are Phishing Your Vault
An email claiming to be a routine security policy update landed in inboxes this month with a link to a page branded like DocuSign. It came from neither LastPass nor Bitwarden. BleepingComputer flagged the campaign on July 14, 2026, after tracking two parallel waves of lookalike domains built to sit one click from the password manager both companies protect.
Key Takeaways
- BleepingComputer reported on July 14, 2026 that phishing emails from hello@lastpassnewsletter.com and hello@bitwardennewsletter.com are impersonating both password managers with fake security policy notices.
- The emails route recipients to lastpasscompliance.com and bitwardencompliance.com, two lookalike domains already flagged as malicious by Microsoft Defender for Office 365 and Cloudflare.
- Both landing pages copy DocuSign's branding and push visitors toward a Windows or macOS download whose exact payload LastPass said it was still investigating at publication time.
- LastPass confirmed its own systems were not touched, said it will never ask for a customer's master password, and is directing reports to abuse@lastpass.com.
- This is the third LastPass branded phishing wave documented in 2026, following a January vault backup lure and a March campaign built around verify-lastpass.com that harvested master passwords directly through a fake login page.
What Do the Fake Alerts Look Like?
The LastPass version arrives from hello@lastpassnewsletter.com with a subject line built to sound procedural, framed around a review of updated security policies rather than a breach or an emergency. Per BleepingComputer's reporting, the message describes changes that sound plausible for a security vendor to make: enhanced SaaS monitoring, a master password reset option for administrators, and admin console improvements. None of it is real. The Bitwarden version runs the same playbook from hello@bitwardennewsletter.com, pointing instead to bitwardencompliance.com. Neither newsletter domain belongs to either company.
What makes the lure effective isn't urgency, it's the opposite. A routine policy update reads as low stakes, the kind of email a busy admin skims and clicks through rather than scrutinizes.
What Happens on the Fake DocuSign Page?
The link in both emails leads to a landing page styled like a DocuSign document ready for review, a second layer of impersonation stacked on the first. Per CyberInsider's coverage of the campaign, the page prompts a download it claims supports both Windows and macOS and includes a live chat widget, a detail that adds a thin layer of legitimacy most phishing kits skip. LastPass told reporters it had not yet confirmed what the downloaded file does. That uncertainty matters more than a confirmed payload would, because it means the safe assumption has to be the worst one: a remote access tool or an infostealer capable of pulling saved sessions and extension data, the same category of malware our breakdown of the REMUS infostealer covers pulling directly out of password manager extensions.
Why Email Users Should Care
A password manager is built around one assumption: the master password never leaves your head. LastPass and Bitwarden both run on zero knowledge architecture, meaning neither company can read your vault even under compulsion, which is exactly why our look at zero knowledge password manager attacks found that most real world compromises target the human step rather than the encryption. That step starts in an inbox. Strong encryption offers no protection against an email that convinces you to type your master password into a page that isn't LastPass, or to run a file that hands an attacker your unlocked session directly.
A compromised password manager account is a skeleton key to every other account tied to it, which is why security teams treat this category of phishing as higher severity than a single credential theft. Gmail's spam filters catch a lot of noise, but a well crafted, low urgency email from a domain close enough to the real thing routinely slips through, landing beside every legitimate LastPass or Bitwarden notification a user has ever trusted.
How Do You Spot a Fake Password Manager Email?
Check the sender's full address, not the display name. LastPass's own advisory on a March 2026 phishing wave made this point directly, warning that most email clients, especially on mobile, show only a display name and hide the real sending address unless a user expands it. A few habits close most of the gap the lure exploits:
- Never click a link inside an email claiming to be from LastPass or Bitwarden to log into your vault. Open a browser tab and type the address yourself, or use a saved bookmark.
- Check the domain character by character. lastpasscompliance.com and bitwardencompliance.com belong to neither company, and neither does any domain ending in newsletter.com, pulse.blog, or broadcast.blog.
- Treat any request to download desktop software from an emailed link as a red flag. Both companies distribute their apps through their own sites and official app stores.
- Turn on hardware backed two factor authentication for the vault itself. A YubiKey or platform passkey stops an attacker cold even if a master password gets typed into the wrong page.
- Report suspicious messages to abuse@lastpass.com or Bitwarden's security contact so the domains reach takedown requests faster.
What Should You Do If You Already Clicked or Downloaded the File?
Change the master password immediately, but do it by navigating directly to lastpass.com or bitwarden.com in a fresh browser tab rather than through any link tied to the original email, and sign in from a device you trust, not the one that may have run the download. If a file did run, disconnect that machine from the network and treat it as compromised until a full malware scan comes back clean, since a remote access tool installed silently can keep working long after the email is deleted. Review the vault's activity log for logins, exports, or new trusted devices you don't recognize, and rotate anything stored inside you consider high value, starting with financial and email accounts. This wave hasn't been publicly tied to any specific prior data theft, but it lands a few weeks after LastPass disclosed that customer contact data was stolen through a breach at Klue, its Salesforce connected vendor. LastPass has not linked the two incidents, and no source has confirmed the phishing emails used the Klue derived contact list, so treat that timing as context rather than a proven cause.
Is This Part of a Bigger Pattern?
Yes, and it's escalating in sophistication, not just frequency. LastPass has documented three distinct branded phishing waves in 2026: a January campaign built around a fake 24 hour vault backup deadline, a March campaign that used the domain verify-lastpass.com and a counterfeit single sign on page to harvest master passwords directly, and this month's compliance themed wave that swaps credential harvesting for a still unidentified download. Per SecurityAffairs' analysis of the March campaign, that operation used eight sender addresses and seven subject lines to dodge simple filters. Each wave changes its delivery mechanism just enough to slip past defenses tuned for the last one.
The Bottom Line
Neither LastPass nor Bitwarden sends security policy updates that require a software download through an emailed link, full stop. Both companies have said so repeatedly this year, and both keep getting impersonated anyway because the tactic keeps working on someone. The inbox is the constant across every wave, the same trust our coverage of fake job interview phishing against Google accounts found attackers exploiting elsewhere this year. Treat every unsolicited password manager email as untrusted by default, verify through a bookmark, and report what doesn't check out.