If you’re using these password managers, watch out for scam emails

Remembering hundreds of secure passwords isn’t really possible unless you’re some kind of savant. What to do? Well, passkeys are a great alternative, but they’re far from universal… so some kind of password management system is almost essential. But those put all your passwords behind a single point of failure, which can become a target of hackers. That’s happening to LastPass and Bitwarden right now.

A large phishing campaign is targeting both of these popular cross-platform password management systems, according to a report from BleepingComputer. LastPass has confirmed the campaign, which is sending out mass emails that claim the password managers have been hacked and that they’re sending out new desktop programs for increased safety. For the record, it appears that neither LastPass nor Bitwarden have actually been hacked as of this writing (at least not recently). These are phony messages trying to get you to install a remote access program, presumably to steal your data.

Interestingly, the mass phishing campaign is using legitimate remote access tools—Syncro, which is an alternative to programs like LogMeIn or Windows Remote Desktop—hidden in the malicious download. BleepingComputer also reports an apparently separate phishing campaign for 1Password that began last week. Cloudflare has been blocking access to at least some of the links in these emails.

Remember, if someone gets into your email inbox and claims that you need to download something or log in for confirmation, double-check the sender’s email address and never click those direct links. Look at the company’s public-facing web page for verification, and manually log in via a separate window, browser, or even device.

Author: Michael Crider, Staff Writer, PCWorld