Fake LastPass and Bitwarden emails send users to bogus DocuSign pages
Criminals are impersonating two of the biggest password managers with polished 'policy update' emails that push a malicious file download.

Key points
- LastPass confirmed on the week of the alert that a phishing campaign is impersonating its brand using the domain lastpasscompliance[.]com.
- The fake emails come from hello@lastpassnewsletter.com and claim LastPass has updated its service policies.
- Bitwarden customers are being hit with the same trick from hello@bitwardennewsletter.com, pointing to bitwardencompliance[.]com.
- LastPass says its own systems were not broken into and the emails did not come from its servers.
- The fake page offered a download for both Windows and macOS before it was taken offline.
Password managers are the keys to the kingdom. If a criminal gets your master password, they get every other password you own. So a phishing run aimed at LastPass and Bitwarden customers is worth paying attention to.
LastPass has warned users about a live campaign of fake security notices, first reported by BleepingComputer. The emails look like a normal corporate update. They talk about new monitoring features, changes to how admins can reset master passwords, and improvements to the admin console. There is a friendly button that says "Review & Access Terms".
Click it, and you land on a page dressed up to look like DocuSign, the well known service companies use to sign documents online. The real giveaway is the web address: lastpasscompliance[.]com, which is not a LastPass domain. Microsoft Defender for Office 365 and Cloudflare have both flagged it as malicious.
The fake page then tries to get you to download a file. It offers versions for Windows and Mac. LastPass could not confirm exactly what the file does, which usually means one of two things: password-stealing malware, or remote-access malware that lets the attacker log in to your machine as if they were sitting at it. The site even had a live chat box, though nobody is sure if a human was on the other end. It has since been pulled down.
Bitwarden users are getting the same treatment. Same template, same trick, different brand name in the sender address.
Should I be worried if I use LastPass or Bitwarden?
Only if you clicked. The campaign is a phishing run, not a break-in at either company. LastPass has been clear that its infrastructure was not touched, and there is no sign Bitwarden's was either. The criminals are borrowing the brands, not the systems.
If you did click and typed your master password, act now. Change that master password from a device you trust, not the one that ran the download. Then open your vault and look for logins you do not recognise. Change anything sensitive: email, bank, work accounts. LastPass asks users to forward suspicious emails to abuse@lastpass.com and reminds people that it will never ask for your master password by email. Ever.
If you downloaded and ran the file, treat the machine as dirty. Get it looked at, or wipe and reinstall.
This is not the first time LastPass customers have been in the crosshairs this year. In March the company warned about fake "unauthorised access" alerts designed to panic people into logging in on a fake page. In January there were bogus emails claiming users had 24 hours to back up their vaults before maintenance. The pattern is the same each time: urgency, a branded button, a lookalike domain.
In practice, the failure mode here is not technical. It is that a well designed email with the right logo will beat a busy person every time.
One thing worth checking today: bookmark the real LastPass or Bitwarden login page in your browser and use only that bookmark. Never log in from a link in an email.



