If you've recently been informed that a death certificate is being used to get into your LastPass account, you have fallen victim to bad actors.
LastPass, one of the most popular password manager providers, has recently posted a blog detailing a deceptive new scam that claims a death certificate has been uploaded on your behalf (via BleepingComputer). The scam claims that another family member is attempting to access your LastPass account via the death certificate, and "if you have not passed away and believe that this is a mistake, please reply to this email with STOP."
Replying to this fake email, according to Lastpass, will cause the scammers to create a fake case and ID number, then redirect you to a site where you're asked to reset your password. As you might be able to guess, the site recipients are sent to is a fake, designed to capture a user's email address and password details via a dummy form, which is then used to gain access to your LastPass account.
LastPass claims that the creator of this scam has gone so far as to call some recipients, asking them to reply to the email and go through the website they've set up. The URL users are directed to has been linked by Google Threat Intelligence with the cybercriminal organisation CryptoChameleon. That same group were reportedly behind a LastPass phishing kit in April last year.
If you have been sent this email, you can forward any details to abuse@lastpass.com, and, as always, checking the email sender thoroughly and cross-referencing it with emails present on official websites is one of the best ways of avoiding scams.
A bad actor getting access to your LastPass account is a particular problem, as your password manager will have access to login details, among the sites you have accounts on. Even if someone can't get your password to other sites from inside your account, they could use that to log in to other websites if you don't have two-factor authentication on.
LastPass does have two-factor authentication, though, so that's something you will want to turn on if you want an extra layer of security on pretty much any account on any website that supports it.
As always, 2FA is worth setting up. Given that you need to sign off on access to your accounts via your phone, a bad actor getting your password doesn't mean they can actually get into your account. It's a nifty tool and only takes a few moments to get up and running.
