LastPass Warns ‘Are You Dead?’ Master Password Hack Attacks Ongoing

ByDavey Winder,

Senior Contributor.

While your email account password is a primary target for hackers, as Gmail users will be only too aware, with certain email attacks surging as a result, there’s only one password that can truly claim to hold the keys to your online kingdom. Yes, we are talking about your password manager master password. No wonder, then, that hackers will try anything to relieve you of it. LastPass, as one of the most popular password managers, is no stranger to these attempts. I’ve already reported how, oh the irony, an email claiming that LastPass accounts had been hacked was being used in one such phishing campaign. Now, LastPass itself has issued a warning to all users as it has identified an ongoing attack that exploits the password manager inheritance process to allow family members to access legacy user vaults. Here’s what you need to know about the ‘Are You Dead?’ LastPass master password threat.

As phishing lures go, asking a potential victim of a password hacking attack if they are dead would seem, at least on the surface, to be rather more ridiculous than most. However, the devil is always in the details. First, there’s the fact that the email itself appears for all intents and purposes to come from a LastPass alerts email address. Then, there’s the wording, which is cleverly constructed to grab your attention, perhaps because it is so bizarre. The subject line of “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED)” instills the necessary urgency, albeit the block capitals used should be a red flag, as no genuine organization would likely adopt such formatting. Then, the message body itself begins with: “A death certificate was uploaded by a family member to regain access to the LastPass account XXXXXXXXXXXXX.”