An Email From LastPass or Bitwarden Regarding Security May Be a Scam.

You trust your password manager to protect your logins, documents, and personal data—and you likely also trust the notifications it sends you with instructions on how to maintain that security. Scammers are counting on just that: a new phishing campaign is targeting LastPass and Bitwarden users with fake security alerts designed to compromise their data and devices.
Earlier this week, LastPass warned users about a scam in which attackers send phishing emails disguised as official security notices. The messages originate from hello[at]lastpassnewsletter[.]com with the subject line “Action Required: Review LastPass’s Updated Security Policies.”
In the email, the attackers described purported changes to LastPass’s security monitoring and reporting protocols and noted that users “have 14 business days to review and accept the updated terms” via DocuSign. The link redirected to https[:]//lastpasscompliance[.]com/, which appeared to be a legitimate DocuSign page with a chatbot window and prompted users to “download” DocuSign to review and sign a document. It is unclear whether the goal was to distribute malware or harvest user credentials, as the malicious website has since been removed. However, according to BleepingComputer , Bitwarden users were targeted by a nearly identical campaign.
How to spot a password manager scam
At first glance, phishing emails targeting LastPass and Bitwarden users appear quite convincing. They use technical jargon, so users may skip the details and believe the information is genuine. The email does contain a call to action, but states that users have 14 days to accept the terms or their account “may be temporarily suspended”—so the urgency is somewhat lower than in some other scams. The email even assures users that their vaults and accounts are “fully secure” and states that the necessary steps are “purely” administrative in nature.
However, both the sender and the URL should be suspicious. Neither lastpassnewsletter[.]com nor lastpasscompliance[.]com are official LastPass domains, nor is bitwardencompliance[.]com the real Bitwarden website. Never enter your master password or other credentials unless you’re going directly to a website or your password manager vault—links from emails, text messages, or social media posts could be phishing attempts. If you provide your credentials to a suspicious site, update them immediately from a trusted device. You also shouldn’t need to download software or use DocuSign for your password manager, and any activity on your account should occur while logged in to a legitimate website or vault.