IMO, LastPass should have bought many of the look-alike and easily mistyped domains a long time ago. lasspass.com, laspass.com, latpass.com, lasypass,com, etc. But since you haven't done this, the least you could do is throw a big warning via the extension when a user visits a domain like this. For years I have personally setup LP like websites on a similar domain for my internal team's training... sending phishing emails to their accounts with links to the bad domain... that looks like lastpass... but isn't. It's a good exercise in watching just how simple it is for someone to give away credentials to the castle. Even without email phishing, a rouge entity can setup like-domains, and people attempting to go directly to a website but mistype it, could easily wind up being detrimental. With other checks in place for my business, and the training I provide, I am not too worried about this internally. But I do have great concern for the countless other personal use users you have that are not aware. While password managers are great, it's comes at a huge cost as well. Everything is centralized. This is one of the easiest ways users are going to lose their stuff to hackers. You should have been on top of this a long time ago imo.