The Top 3 Worst Password Manager Breaches and Security Issues to Date

May 3, 2024
·
3 min
deleteme

Protect yourself from future breaches

Password manager breaches are more common than ever. And understandably, the password management industry is not very forgiving of these breaches.

Unfortunately, this is the nature of the beast. For every password manager company that claims to be “secure,” there’s a group of hackers ready and waiting to prove those claims wrong.

Over the last several years, many password managers have learned the hard way that it’s never a good idea to get too comfortable with the current security of any platform. Every company must stay ahead of security best practices and the hackers continually trying to penetrate their systems.  

Keep reading to learn about some of the worst password manager breaches of all time.

What exactly is a password manager? 

A password manager is any application or platform that creates, stores, and manages users’ passwords on their online accounts. 

Previously, password managers were used to store passwords like a password vault, so you could copy your password to an account and then paste it on the account sign-in page. 

Now, password management capabilities have grown from storing non-password information with custom fields to auto-filling passwords on apps and websites and creating one-time passcodes. 

The Worst Password Manager Breaches to Date

Here are some of the worst password manager breaches to date:

1. Norton LifeLock

LifeLock is no stranger to data security scandals. We can’t discuss LifeLock without also bringing up their 2010 marketing debacle when their CEO shared his social security number on billboards to prove the efficacy of the product. 

How effective was it, really? His identity was stolen 13 times.

While LifeLock has had several other issues over the years, in December 2022, LifeLock revealed that it had experienced a data breach resulting in more than 6,000 of its customers losing access to their password managers. Hackers had used a technique known as “credential stuffing” to take control of these customers’ accounts. 

Credential stuffing involves using previously exposed credential combinations to break into other platforms. This is why it’s so important to immediately change your usernames and passwords in case of a data breach

Better yet, use a different, random, secure password for every account. In other words, #keepitcloaked).

What does #keepitcloaked mean exactly? Cloaked can generate new strong passwords for all your multiple online accounts easily in a single click. You can also use masked email addresses and phone numbers on Cloaked to sign up on your accounts online so it can’t be linked to you. 

Explore all Cloaked features

2. LastPass

Needless to say, 2022 was a rough year for password managers. 

LastPass experienced a data breach in August 2022  that resulted in hackers gaining access to sensitive data via an employee account. Adding insult to injury, another breach followed in November, targeting sensitive data stored in the Cloud.

The biggest “oof?” In the LastPass breach, the employee’s account was compromised when hackers targeted their home computer. The hackers used a type of malware called a keylogger to learn the credentials needed to access the LastPass source code and customer vaults. This breach then took a while to detect as it registered as legitimate employee activity. 

It was reported that some of the LastPass vault data stolen in the second 2022 attack may be tied to around $ 35 million in cryptocurrency thefts. ZackXBT and MetaMask confirmed that 80 crypto wallets were compromised in the attack, and funds were stolen in various cryptocurrencies.

LastPass users have also been targeted by cybercriminals posing as staff. LastPass shared that these attacks did not directly affect any of their systems as they resulted from phishing campaigns in the Crypto Chameleon phishing kit. But chances are, if you’ve been hacked before, you’ll likely be hacked again. 

Migrate to an online security platform that has never been breached. 

3. Bitwarden

Bitwarden was discovered to have cracks in its encryption that left sensitive information vulnerable to cyber attacks. In 2023, a cybersecurity firm, Flashpoint discovered a critical flaw in Bitwarden’s password security when using autofill.

Once the autofill option was initiated, Bitwarden allowed inline frames (iframes) to access the customer credentials. This may seem like no big deal. However, it meant that if iframes were hacked, bad actors could gain access to customer credentials at this level.

For reference, iframes are an element of HTML that can be used to load another page within the original page, sometimes intending to embed interactive media. Think of it like a nesting doll. One fits within the other. Except with web pages, this occurs with a specific purpose in mind.

In addition to this risk, it was also discovered that hackers could create subdomains of legitimate pages visited by customers, and Bitwarden’s autofill feature would recognize these. This means that passwords would auto-populate on pages solely intended for phishing.

Bitwarden has since taken action to remedy these issues. However, the company definitely owes a huge thank you to the cybersecurity firm that found the weaknesses before the hackers did.

Tired of your data being exposed in a series of data breaches?

Choose privacy, get Cloaked.

4. 1Password 

Integrations with third-party service providers still pose a significant risk to data security, as your systems could be impacted by a breach involving any of your third-party service providers. This was the case with 1Password

In 2023, one of 1Password’s service providers, Okta, an identity management solutions platform, suffered a system breach that exposed all 18,400 customers, including 1Password. Since Okta manages 1Password’s identity and access management, the bad actors could have given themselves authorization and access. 

However, since the IAM platform only managed employee-facing apps, it didn’t affect customers. But this shows the risk with password management solutions having multiple integrations. 

In addition to these big breaches, there have been more breaches like the Temu data breach, MOAB, and the AT&T data breaches this year, which shows that even smaller platforms can get hacked.

Never have to worry about third-party breaches. 

Download the Cloaked app

Does This Mean We Should Stop Using Password Managers?

No! Password managers are actually a key part of a strong digital privacy strategy. By securely storing complex, unique passwords for all your accounts, they significantly reduce the risk of being hacked through traditional methods.

However, to maximize the benefits of a password manager, there are some things to keep in mind:

  • Security-First Reputation: Look for password managers with a proven track record of prioritizing user security. Research if they've undergone independent security audits and haven't been involved in any data breaches.
  • Zero-Knowledge Architecture: This ensures the company storing your passwords never actually sees them. The encryption key is solely in your control, making it much harder for attackers to access your data even if they breach the password manager's servers.
  • Secure Sharing: Choose a password manager that offers secure sharing features. This allows you to share login credentials with others without revealing your master password. Look for features like encrypted links with access expiration.
  • Multi-Factor Authentication: Two-factor authentication (2FA) adds an extra layer of security by requiring a second verification step beyond your master password. Ensure your chosen password manager offers robust 2FA options.

The Best Password Managers That Haven’t Been Breached

According to data breach statistics, chances are, if you have been breached before, you will be breached again. The best way to prevent that is to use a password manager that hasn’t been breached. Here’s a list of the best password managers that haven’t been breached:

1. Cloaked

Cloaked is a privacy-first platform that takes online data security to the next level. Its pioneering feature, AutoCloak, provides anonymity online for its users. It creates virtual identities for users that serve as a substitute for their real information. These virtual identities cover masked phone numbers, masked email addresses, and usernames. 

Cloaked prioritizes user security with a three-tier security architecture that prevents unauthorized access to users’ information. Cloaked users enjoy client-side encryption, meaning everything they store on Cloaked is encrypted right on their devices, so even when bad actors gain access to their passwords, they cannot be used. No one, not even Cloaked employees, can access your passwords thanks to the platform’s zero-knowledge access. 

But Cloaked doesn’t stop here. Other privacy features include: 

  • Allows users to generate time-based one-time passcodes
  • Supports password sharing over encrypted links
  • Automatically generate and update passwords to various apps and websites
  • Supports secure email sending
  • It has an in-app inbox sorted by senders first to avoid spam in your real email and then make important emails accessible
  • Stores non-password information such as API keys and bank account details
  • Auto-fills forms online
  • Supports anonymous calls

cloaked spotify

Cloaked users never have to wonder whether Microsoft is collecting their data, if a creepy online date stalks them after a rejection–or if their data has been stolen in a password manager data breach.

Create unlimited virtual identities with Cloaked.

2. NordPass

NordPass is a password manager that generates and manages users' passwords. It also supports password autofill, and users can store their credit card information on NordPass and have it auto-filled on shopping websites. 

NordPass allows users to use passkeys to access their accounts in place of passwords. It also allows users to check for leaked passwords, identify existing vulnerable passwords, and share passwords and passkeys, but these are only accessible with a premium subscription. 

3. Dashlane

Dashlane uses zero-knowledge patented encryption for user password protection. Its password generator generates passwords based on the user's guidelines, such as character limits, symbols, or numbers. Dashlane supports password sharing and dark web monitoring. Users can also store non-password-related information on Dashlane, such as financial and medical information. 

Compare Nordpass, 1Password, Dashlane, and Cloaked

More About Password Managers

Here is some more information on password manager breaches:

What password managers were vulnerable to AutoSpill? 

While Autospills are not direct data attacks or breaches, they are vulnerabilities that expose user passwords and login credentials to third-party apps. Password managers vulnerable to Autospills are  1Password, LastPass, Enpass, Keepass2Android, and Keeper.

Which password manager has never been hacked?

Cloaked has never been hacked or involved in any hack, yet it maintains very robust and sophisticated security processes and architecture. 

Are password managers safe?

Not all password managers are safe, but if you are looking for a password manager that has never been breached and keeps your information safe, use Cloaked.

The Takeaway on Password Manager Data Breaches

Hackers will always target password managers and companies claiming to be secure. The important thing is that you do your due diligence and check on the data breaches that have occurred and how these companies responded to them.

Did they let the public know immediately? Did they develop an action plan to provide damage control to those impacted? And did they make changes to ensure the incident will never happen again?

Answering these questions can help you to choose a password manager you can trust–now and in the future.

Switch to a password manager that has never been involved in any data breach and join the Cloaked family. 

Cloaked offers robust password management features for generating strong passwords and securely storing them using client-side encryption. It also supports bulk identity management—changing the usernames, passwords, email addresses, and phone numbers of several accounts simultaneously with only a few clicks via Auto Cloak. 

Do you worry about being able to import your passwords from your existing password manager app? Cloaked has got you covered with support for importing old passwords from other password managers, such as 1Password and LastPass. Additionally, Cloaked allows users to import their old passwords in CSV format. 

Cloaked’s privacy features don’t stop here; it also offers secure identity and information sharing, information storage, and one-time account passcodes and is even launching  “Cloaked Pay” and “Cloaked Shipping” features soon. 

What are you waiting for? Sign up on Cloaked.

Protect yourself from future breaches

View all
Media
November 20, 2024

Arjun Bhatnagar Weighs in on Cloaked’s Mission, Secure Privacy Platform and Actions to Gain Control of Data

Arjun Bhatnagar Weighs in on Cloaked’s Mission, Secure Privacy Platform and Actions to Gain Control of Data

by
Cloaked Team
Media
November 20, 2024

Arjun Bhatnagar Weighs in on Cloaked’s Mission, Secure Privacy Platform and Actions to Gain Control of Data

Arjun Bhatnagar Weighs in on Cloaked’s Mission, Secure Privacy Platform and Actions to Gain Control of Data

by
Cloaked Team
Media
August 24, 2024

Geek Squad Email Renewal Scam: Everything You Need to Know [2024]

Geek Squad Email Renewal Scam: Everything You Need to Know [2024]

by
Abhijay Bhatnagar
Media
August 24, 2024

Geek Squad Email Renewal Scam: Everything You Need to Know [2024]

Geek Squad Email Renewal Scam: Everything You Need to Know [2024]

by
Abhijay Bhatnagar
Media
May 14, 2024

Cloaked Recognized In Fast Company’s 2024 World Changing Ideas Awards

Cloaked Recognized In Fast Company’s 2024 World Changing Ideas Awards

by
Cloaked Team
Media
May 14, 2024

Cloaked Recognized In Fast Company’s 2024 World Changing Ideas Awards

Cloaked Recognized In Fast Company’s 2024 World Changing Ideas Awards

by
Cloaked Team