Never give out personal contact info again
Comprehensive Identity Theft Insurance
Save and store your online accounts
Remove personal info from 120+ data brokers
Ensure your true identity is protected from AI
Secure and protect your family’s data
Save additional details with confidence
Password manager breaches are more common than ever. And understandably, the password management industry is not very forgiving of these breaches.
Unfortunately, this is the nature of the beast. For every password manager company that claims to be “secure,” there’s a group of hackers ready and waiting to prove those claims wrong.
Over the last several years, many password managers have learned the hard way that it’s never a good idea to get too comfortable with the current security of any platform. Every company must stay ahead of security best practices and the hackers continually trying to penetrate their systems.
Keep reading to learn about some of the worst password manager breaches of all time.
A password manager is any application or platform that creates, stores, and manages users’ passwords on their online accounts.
Previously, password managers were used to store passwords like a password vault, so you could copy your password to an account and then paste it on the account sign-in page.
Now, password management capabilities have grown from storing non-password information with custom fields to auto-filling passwords on apps and websites and creating one-time passcodes.
Here are some of the worst password manager breaches to date:
LifeLock is no stranger to data security scandals. We can’t discuss LifeLock without also bringing up their 2010 marketing debacle when their CEO shared his social security number on billboards to prove the efficacy of the product.
How effective was it, really? His identity was stolen 13 times.
While LifeLock has had several other issues over the years, in December 2022, LifeLock revealed that it had experienced a data breach resulting in more than 6,000 of its customers losing access to their password managers. Hackers had used a technique known as “credential stuffing” to take control of these customers’ accounts.
Credential stuffing involves using previously exposed credential combinations to break into other platforms. This is why it’s so important to immediately change your usernames and passwords in case of a data breach.
Better yet, use a different, random, secure password for every account. In other words, #keepitcloaked).
What does #keepitcloaked mean exactly? Cloaked can generate new strong passwords for all your multiple online accounts easily in a single click. You can also use masked email addresses and phone numbers on Cloaked to sign up on your accounts online so it can’t be linked to you.
Needless to say, 2022 was a rough year for password managers.
LastPass experienced a data breach in August 2022 that resulted in hackers gaining access to sensitive data via an employee account. Adding insult to injury, another breach followed in November, targeting sensitive data stored in the Cloud.
The biggest “oof?” In the LastPass breach, the employee’s account was compromised when hackers targeted their home computer. The hackers used a type of malware called a keylogger to learn the credentials needed to access the LastPass source code and customer vaults. This breach then took a while to detect as it registered as legitimate employee activity.
It was reported that some of the LastPass vault data stolen in the second 2022 attack may be tied to around $ 35 million in cryptocurrency thefts. ZackXBT and MetaMask confirmed that 80 crypto wallets were compromised in the attack, and funds were stolen in various cryptocurrencies.
LastPass users have also been targeted by cybercriminals posing as staff. LastPass shared that these attacks did not directly affect any of their systems as they resulted from phishing campaigns in the Crypto Chameleon phishing kit. But chances are, if you’ve been hacked before, you’ll likely be hacked again.
Migrate to an online security platform that has never been breached.
Bitwarden was discovered to have cracks in its encryption that left sensitive information vulnerable to cyber attacks. In 2023, a cybersecurity firm, Flashpoint discovered a critical flaw in Bitwarden’s password security when using autofill.
Once the autofill option was initiated, Bitwarden allowed inline frames (iframes) to access the customer credentials. This may seem like no big deal. However, it meant that if iframes were hacked, bad actors could gain access to customer credentials at this level.
For reference, iframes are an element of HTML that can be used to load another page within the original page, sometimes intending to embed interactive media. Think of it like a nesting doll. One fits within the other. Except with web pages, this occurs with a specific purpose in mind.
In addition to this risk, it was also discovered that hackers could create subdomains of legitimate pages visited by customers, and Bitwarden’s autofill feature would recognize these. This means that passwords would auto-populate on pages solely intended for phishing.
Bitwarden has since taken action to remedy these issues. However, the company definitely owes a huge thank you to the cybersecurity firm that found the weaknesses before the hackers did.
Tired of your data being exposed in a series of data breaches?
Integrations with third-party service providers still pose a significant risk to data security, as your systems could be impacted by a breach involving any of your third-party service providers. This was the case with 1Password.
In 2023, one of 1Password’s service providers, Okta, an identity management solutions platform, suffered a system breach that exposed all 18,400 customers, including 1Password. Since Okta manages 1Password’s identity and access management, the bad actors could have given themselves authorization and access.
However, since the IAM platform only managed employee-facing apps, it didn’t affect customers. But this shows the risk with password management solutions having multiple integrations.
In addition to these big breaches, there have been more breaches like the Temu data breach, MOAB, and the AT&T data breaches this year, which shows that even smaller platforms can get hacked.
Never have to worry about third-party breaches.
No! Password managers are actually a key part of a strong digital privacy strategy. By securely storing complex, unique passwords for all your accounts, they significantly reduce the risk of being hacked through traditional methods.
However, to maximize the benefits of a password manager, there are some things to keep in mind:
According to data breach statistics, chances are, if you have been breached before, you will be breached again. The best way to prevent that is to use a password manager that hasn’t been breached. Here’s a list of the best password managers that haven’t been breached:
Cloaked is a privacy-first platform that takes online data security to the next level. Its pioneering feature, AutoCloak, provides anonymity online for its users. It creates virtual identities for users that serve as a substitute for their real information. These virtual identities cover masked phone numbers, masked email addresses, and usernames.
Cloaked prioritizes user security with a three-tier security architecture that prevents unauthorized access to users’ information. Cloaked users enjoy client-side encryption, meaning everything they store on Cloaked is encrypted right on their devices, so even when bad actors gain access to their passwords, they cannot be used. No one, not even Cloaked employees, can access your passwords thanks to the platform’s zero-knowledge access.
But Cloaked doesn’t stop here. Other privacy features include:
Cloaked users never have to wonder whether Microsoft is collecting their data, if a creepy online date stalks them after a rejection–or if their data has been stolen in a password manager data breach.
Create unlimited virtual identities with Cloaked.
NordPass is a password manager that generates and manages users' passwords. It also supports password autofill, and users can store their credit card information on NordPass and have it auto-filled on shopping websites.
NordPass allows users to use passkeys to access their accounts in place of passwords. It also allows users to check for leaked passwords, identify existing vulnerable passwords, and share passwords and passkeys, but these are only accessible with a premium subscription.
Dashlane uses zero-knowledge patented encryption for user password protection. Its password generator generates passwords based on the user's guidelines, such as character limits, symbols, or numbers. Dashlane supports password sharing and dark web monitoring. Users can also store non-password-related information on Dashlane, such as financial and medical information.
Compare Nordpass, 1Password, Dashlane, and Cloaked
Here is some more information on password manager breaches:
While Autospills are not direct data attacks or breaches, they are vulnerabilities that expose user passwords and login credentials to third-party apps. Password managers vulnerable to Autospills are 1Password, LastPass, Enpass, Keepass2Android, and Keeper.
Cloaked has never been hacked or involved in any hack, yet it maintains very robust and sophisticated security processes and architecture.
Not all password managers are safe, but if you are looking for a password manager that has never been breached and keeps your information safe, use Cloaked.
Hackers will always target password managers and companies claiming to be secure. The important thing is that you do your due diligence and check on the data breaches that have occurred and how these companies responded to them.
Did they let the public know immediately? Did they develop an action plan to provide damage control to those impacted? And did they make changes to ensure the incident will never happen again?
Answering these questions can help you to choose a password manager you can trust–now and in the future.
Switch to a password manager that has never been involved in any data breach and join the Cloaked family.
Cloaked offers robust password management features for generating strong passwords and securely storing them using client-side encryption. It also supports bulk identity management—changing the usernames, passwords, email addresses, and phone numbers of several accounts simultaneously with only a few clicks via Auto Cloak.
Do you worry about being able to import your passwords from your existing password manager app? Cloaked has got you covered with support for importing old passwords from other password managers, such as 1Password and LastPass. Additionally, Cloaked allows users to import their old passwords in CSV format.
Cloaked’s privacy features don’t stop here; it also offers secure identity and information sharing, information storage, and one-time account passcodes and is even launching “Cloaked Pay” and “Cloaked Shipping” features soon.
What are you waiting for? Sign up on Cloaked.
