Fake password-manager breach lure — "your vault was breached" / "master password found on dark web" from non-vendor sender, targeting 1Password / Bitwarden / Dashlane / NordPass / Keeper / Proton Pass / LastPass users (2024-2026 post-LastPass pattern)

Fake "your vault was breached" / "your master password was found on the dark web" / "unusual login detected on your vault" email impersonating a password manager (1Password, Bitwarden, Dashlane, NordPass, Keeper, Proton Pass, LastPass, Enpass, RoboForm, Passpack). The LastPass 2022 breach set the template for this attack: attackers send these lures to ANY email address and a tiny percentage of recipients actually use the impersonated service — but those who do stand to lose the master password, which is the single key that unlocks access to ~80 percent of the victim's online identity (banking, email, social, all in one shot). Documented continuously through 2024-2025 in Proofpoint, Abnormal Security, and SpyCloud threat intelligence feeds. Fires when the body references a password manager by brand name OR generic "password vault / manager" AND contains breach/incident/emergency language (breach, dark web, compromised, unusual login, master password, emergency access, security incident) AND the sender is NOT one of the real password-manager vendors (1password.com, bitwarden.com, dashlane.com, nordpass.com, keepersecurity.com / keeper.com, protonpass.com / proton.me, lastpass.com / logmeininc.com, enpass.io, roboform.com, passpack.com). Auto-classified as danger via the `-lure` suffix.