Which Password Managers Have Been Hacked?

One of the key pieces of advice that security experts (ourselves included) give is to take a look at whether the password management service has been hacked before or not, as well as whether it ‘features’ any security vulnerabilities that white-hat hackers have shared with the service providers. If the password management service has patched any vulnerabilities, then it could be a good choice.

To help make that decision a little easier, let’s take a look at the hacking history of some password managers. The aim isn’t a complete list, as you’ll see, but we have instead explored the most important hacks and the security vulnerabilities over years.

LastPass (2022 hack update)

After being hacked twice in 2022, more information regarding LastPass’s second incident in October 2022 was released in March 2023. By infiltrating the account of a senior DevOps engineer, the hackers bought themselves some time as alerts of suspicious behavior weren’t immediately triggered. Consequently, the incident was far more severe than initially stated in 2022, with the threat actors gaining access to all customer vault data, such as URLs, ‘pushed’ site credentials, metadata, and much more. The cybercriminals also got their hands on third-party integration and API secrets. However, LastPass’s zero-knowledge model kept all other sensitive information safe. The company’s CEO also listed a series of recommended actions for every LastPass user to ensure their information remains secure and that best practices are being followed.

Norton LifeLock

In the middle of January, the company sent data breach warnings to more than 6,000 of its customers, telling them that their accounts had been compromised. According to Norton, the attacks didn’t breach its systems, meaning that the hackers were targeting individual accounts. The incident dates back to December 2022, when the company started noticing a series of failed login attempts. In other words, the attackers performed credential stuffing, meaning they were trying to enter accounts with usernames and passwords they had acquired elsewhere (likely the dark web). This was clearly a success, as Norton warned that the malicious actors may have gained access to logins stored in the password manager. The company aimed to resolve the issue by resetting passwords on breached accounts and advising customers to start using two-factor authentication.

1Password

In September, 1Password discovered suspicious activity in its system that manages employee-facing applications. This news understandably raised concerns among users about the safety and security of their sensitive information. However, the company acted swiftly and confirmed that there was no unauthorized access to user data. Upon investigation, 1Password found that the initial unusual activity came from the support system of the IT service management company, Okta. The hackers used stolen credentials to gain access to support case management. Several statements from 1Password’s chief technology officer confirmed that the company could identify and terminate the attack and that the software’s security measures were continuously being enhanced. Although a bit concerning, the whole situation highlighted the importance of constant vigilance when it comes to online security and demonstrated 1Password’s commitment to transparency and willingness to act fast to protect user data.

LastPass

In August, the company notified its customers about a security incident within its development environment. The bad actor’s activity lasted four days, and some of the software’s code and technical information were taken. At the time, the security team thought it was able to contain the incident, as there was no evidence that any customer data or encrypted password vaults were accessed. However, in December 2022, the company discovered that the hacker was able to copy sensitive information, which contained account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses. The cybercriminal was also able to obtain information on customers’ vault data, containing both unencrypted data (such as websites) and encrypted data (usernames, passwords, secure notes, and form-filled data). Fortunately, this information remains secure with 256-bit AES encryption and can only be decrypted with the user’s master password, which LastPass doesn’t have access to due to its zero-knowledge architecture.

Passwordstate

Between the 20th and 22nd of April, attackers invaded the software and, through the update functionality, delivered a DLL file to users’ computers while the upgrade was running. The file extracted data such as usernames, passwords, and domain names and sent it to the attacker’s server. On top of this, after a couple of days, the hackers performed phishing attacks using screenshots posted on social media with legitimate correspondence between the company and its customers. They sent emails to users telling them to download an urgent fix for the hack. After the file installation, the attackers’ malware deepened the infection.

Dashlane, LastPass, Keeper, 1Password, and RoboForm

Researchers Michael Carr and Siamak F. Shahandashti from the University of York released a study analyzing these five password managers for security vulnerabilities. To test these companies’ phishing resistance, the researchers created a false Google app, which was able to trick both 1Password and LastPass into revealing a password. They also discovered that Keeper, Dashlane, and 1Password don’t limit the number of login attempts while entering the master password, making it easier for hackers to perform brute-force attacks. Most shockingly, all these password managers, except for 1Password, failed to protect credentials from being pasted as clear text from the clipboard.

• Dashlane, LastPass, and KeePass: Research carried out by Independent Security Evaluators (ISE) uncovered that while running in the background, these password managers could leak unencrypted credentials. According to the researchers, these companies don’t always encrypt and clear passwords from the computer’s memory when the user logs out.
• 1Password: The same research found that 1Password fails to clear out the master password after the user has logged out and has the software still running in the background. In some cases, the password can even be seen in plain text. The silver lining is that since your computer has built-in defenses against memory access attacks, these failures can only be harmful if malware has already gotten into the device.

• Keeper: Even though the company’s executive Aaron Gessner denied the claims, security researcher Chris Vickery discovered an exposure on the server hosting Keeper’s installer files. The server wasn’t password protected, so anyone could’ve had access to its contents, including copies of the company’s Windows, Mac, Android, and iPhone install files. Regardless of the exposure, there’s no confirmation that Keeper’s website was directly linking to the files on the server, so determining the risks to customers, or even affirming they existed, is nearly impossible.

• LastPass: Tavis Ormandy discovered a vulnerability in its browser plugins, which LastPass called a “major architectural problem“. The password management service advised users to avoid using its browser plugins while it dealt with the issue.
• OneLogin: An attacker had “obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S.”
• Keeper: Tavis Ormandy discovered that the service was exposing passwords to unreliable web pages.

• MyPasswords, Informaticore, LastPass, Keeper, F-Secure Key, Dashlane, Keepsafe, Avast Passwords, and 1Password: This was a busy year in terms of password management vulnerabilities. TeamSIK (Security Is Key), a group of people interested in IT security from the Fraunhofer Institute for Secure Information Technology, discovered serious security flaws in the most popular password management apps developed for the Android platform.
• LastPass: Google Project Zero Hacker Tavis Ormandy discovered a critical zero-day flaw that allowed any remote attacker to compromise accounts completely.

• KeePass: When this program runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce (a hacking tool) decrypts the entire database and writes it to a file that the hacker can easily access. In theory this kind of hack makes all password managers vulnerable.
• LastPass: An intrusion to the company’s servers was detected. While encrypted user data wasn’t stolen, cyber criminals stole LastPass account email addresses, password reminders, server per-user salts, and authentication hashes.

• LastPass, My1Login, NeedMyPassword, PasswordBox, and RoboForm: Researchers at the University of California Berkeley discovered a number of vulnerabilities in a handful of password managers. “In four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites,” researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in their paper.

Does this mean we should stop using password managers?

No, not at all. The recent hacks and security vulnerabilities found in these services underscore one important aspect in security: no piece of software is able to truly offer more than 99% security. Reaching 100% security is impossible with any kind of software because every piece of code will have an Achilles heel somewhere that makes it vulnerable.

The question is different in this case: what does the team of developers do to protect user data, and what attack scenarios did they have in mind when they coded the software? Of course, if a service is static and the developers don’t keep their security up to date, then it can easily be hacked.

How user data is protected should be the main consideration when picking a password manager. Other features have their importance, but this is something you should always consider before making the final decision. For example, how do the developers communicate the bad news to their users? Transparency in communication is also another important aspect.

Free password managers are great utilities to start with, just be sure to keep an eye on the updates. Check the update history of the software and if there isn’t much to check on, then it can be considered a sign to move on to the next one. A lot can happen in just a few weeks in the security industry, so the bare minimum on your list of expectations should be up-to-date software and a quick response time to any security breaches or attacks. Otherwise, you could end up vulnerable to cyber attacks, which isn’t the opposite of what you wanted in the first place.