One industry is extremely unforgiving when it comes to data breaches: password management.
You know, the companies you put your full trust in to protect, store, and lovingly care for all of your precious login credentials?
Unfortunately, this is the nature of the beast. Where there is a company that claims to be “secure,” there is a group of hackers ready and waiting to prove those claims wrong.
Call it ego, an unsaid challenge, or a public service - these hacking attempts can shine light on weaknesses that could otherwise be exploited in even greater ways if left undiscovered.
Over the last several years, many of these companies have learned the hard way that it’s never a good idea to get too comfortable with the current security of any platform. Every company must stay ahead of security best practices and the hackers that are continually trying to penetrate their systems.
Keep reading to learn about the three worst password manager breaches of all time…
LifeLock is no stranger to data security scandals. We can’t discuss LifeLock without also bringing up their 2010 marketing debacle when their CEO shared his social security number on billboards to prove the efficiency of the product. It was so efficient that his identity only got stolen 13 known times (cue in, Mr. Sarcasm).
While LifeLock has had several other issues over the years, we wanted to focus on the 2022 breach of their password manager. In December 2022, LifeLock revealed that they had experienced a data breach resulting in more than 6,000 of their customers losing access to their password managers. Hackers had used a technique known as “credential stuffing” to take control of these customers’ accounts.
Credential stuffing involves using previously exposed credential combinations to break into other platforms. This is why it’s so important to immediately change your usernames and passwords in the event of a data breach. Better yet, use a different, random secure password for every account (in other words, #keepitcloaked).
Needless to say, 2022 was a rough year for password managers. LastPass experienced a data breach in August of last year that resulted in hackers gaining access to sensitive data via an employee account. Adding insult to injury, another breach occurred in November targeting sensitive data stored in the Cloud.
The biggest “oof?”
The employee’s account was compromised when hackers targeted their home computer. The hackers used a type of malware called a keylogger to learn the credentials needed to access the LastPass source code and customer vaults. This breach then took awhile to detect as it was registering as legitimate employee activity.
Recently, it’s been reported that some of the LastPass vault data stolen in the second 2022 attack may be tied to around $35-million in cryptocurrency thefts. We’re following this story for ongoing updates.
While not a confirmed breach, Bitwarden was discovered to have cracks in its encryption that left sensitive information vulnerable to cyber attacks. In 2023, a cybersecurity firm discovered that when using autofill, there was a critical flaw in bitwarden’s password security.
Once the autofill option was initiated Bitwarden allowed inline frames (iframes) to access the customer credentials. This may seem like no big deal.
However, this meant that if iframes were hacked, then bad actors could gain access to customer credentials at this level.
For reference, iframes are an element of html that can be used to load another page within the original page, sometimes with the intent of embedding interactive media. Think of it like a nesting doll. One fits within the other. Except with web pages, this occurs with a specific purpose in mind.
In addition to this risk, it was also discovered that hackers could create subdomains of legitimate pages visited by customers and Bitwarden’s autofill feature would recognize these. Meaning, that passwords would auto populate on pages that were solely intended for phishing.
Bitwarden has since taken action to remedy these issues. However, the company definitely owes a huge thank you to the cybersecurity firm that found the weaknesses before the hackers did.
There will always be hackers targeting password managers and companies claiming to be secure. The important thing is that you do your due diligence and check on not only the data breaches that have occurred, but also how these companies responded to them.
Did they let the public know immediately? Did they develop an action plan to provide damage control to those impacted? And, did they make changes to assure that the incident will never happen again?
Answering these questions can help you to choose a password manager you can trust–now and in the future.
Click here to join our waitlist and we’ll send you your exclusive invite as soon as possible!