BleepingComputer reports that attackers are running phishing campaigns impersonating LastPass and Bitwarden, sending fake security alerts designed to trick users into handing over credentials or taking actions that compromise their password vaults. Password managers are high-value targets: a single successful phish can hand attackers the keys to every account a victim stores, not just one login.
For small and mid-size businesses, this matters directly -- if your team relies on LastPass or Bitwarden (and many do, precisely because security-conscious owners push for password managers), a convincing fake alert could undo that entire investment in one click. Employees are conditioned to act fast on "security alert" emails from tools they trust, which is exactly what makes this lure effective.
What to do: remind staff that password managers never ask you to "verify" your master password via email link -- always navigate to the vault directly through the official app or bookmarked URL, never through emailed links. Enable multi-factor authentication on the vault account itself, and consider a quick team reminder this week: don't click, go direct.