However, as with anything uploaded to the internet, your passwords can be compromised – and not even the best passwords managers are safe from blunders when the data of millions of users are leaked. In the past few years – particularly in 2017 – there were plenty of security breaches, so here are a few you should know about…
OneLogin: ‘Tis but a scratch!
Kicking off our list is the most recent and only bad example of how a company should react when it comes to properly telling its customers that their data may or may not have been compromised.
On May 31 2017, identity management outfit OneLogin alerted its users on its blog that “unauthorized access to OneLogin data in our U.S. data region” had occurred. At first the problem didn’t seem too serious, but users later reported that the emails they received from the company were more than worrying. To pour salt into the wound caused by this catastrophic communication, OneLogin not only forced its users to seek the solution on a registration-required support page, but then this very page also revealed that in fact all U.S. customer data had been compromised to such extent that hackers could easily decrypt the supposedly encrypted data. As a final insult, users were given a list of instructions consisting of 12 steps that could’ve made even tech-savvy users frustrated.
The big nine: Unsafe apps
In February 2017 a group of security experts from TeamSIK discovered that the apps of nine of the most popular password manager companies were at risk of being hacked. These nine at-risk companies were LastPass, Keeper, 1Password, My Passwords, Dashlane, Informaticore’s Password Manager, F-Secure KEY, Keepsafe, and Avast Passwords. The biggest blunder, however, was committed by the apps of Informaticore and LastPass: the master passwords of users appeared as plain text or the encryption key itself was exposed in the code, making the apps vulnerable to data residue attacks and clipboard sniffing.
Thankfully developers of these apps reacted faster than you can say Jack Robinson, and released patches on March 1 2017, way before the findings of TeamSIK were officially published.
LastPass: Faulty browser plug-ins
Browser add-ons are crucial for password managers to be able to work properly, otherwise they couldn’t import all those passwords you use on various sites. So if this plug-in is compromised, it’s bad news for everyone – except the hackers that is. And that’s exactly what happened to LastPass, one of the most popular password managers on the market and – due to this very same reason – a company that is a regular target of constant hacker attacks.
Although similar attacks occurred in 2011, 2014 and 2015, the most recent is the most relevant right now: on March 20 2017, Google security researcher Tavis Ormandy reported to LastPass that its extensions could have given hackers the opportunity to access internal commands, and thus enable them to remotely steal passwords. To make things worse, the same researcher reported a similar bug, this time in LastPass’s Firefox extension, forcing the company to release patches twice within 24 hours.
Despite the company’s initial reaction being more than questionable – it remained silent for a few hours after the breach was discovered – LastPass did eventually eliminate the vulnerability and also made sure that its users are prepared: they were instructed to launch sites directly from the LastPass Vault, use the two-factor authentication, keep an eye out for phishing attacks, and additionally change their master password.
It’s still safe
Zoltán G.
Sander D.
User feedback