passwords managers hacked

Password Managers Hacked: A Comprehensive Overview

1/9/2024
Categories: Attacks

With attacks happening every day and the consequences of them reaching into the millions, robust cybersecurity measures are no longer a luxury—they are a necessity. Recent breaches in popular password managers have raised serious concerns, despite their intended role as secure vaults. 

It's becoming increasingly clear that password managers are not the impenetrable fortresses we once thought they were. In fact, the recent string of breaches suggests that relying on passwords, even within these managers, might be akin to building our digital security on sand. 

Let's take a closer look at these breaches and hacks and their consequences. 

LastPass: the repeated target of cyber attacks

First 2022 Attack

In the first attack, hackers infiltrated the company's development environment through a software engineer’s corporate laptop. While customer data and encrypted password vaults were not directly accessed, the breach involved the theft of source code and technical documentation. 

Second 2022 Attack 

In October 2022, LastPass experienced another severe security breach when hackers infiltrated the account of a senior DevOps engineer. The breach went undetected for a little under three months. It was  initially underplayed when announced, but was far more extensive than disclosed. Attackers gained access to customer vault data, including emails, phone numbers, credentials, metadata, and third-party integration secrets. 

Norton LifeLock: credential stuffing attack

In January 2023, Norton LifeLock warned over 6,000 customers of a breach stemming from credential stuffing attacks. Utilizing usernames and passwords likely sourced from the dark web, the attackers successfully accessed customer accounts, potentially compromising stored logins in the password manager. Norton's response included resetting passwords and advocating for two-factor authentication, which leaves much to be desired.

1Password: a close call with security

In September 2023, 1Password detected suspicious activities linked to Okta's support system. Although no user data was compromised, the incident highlighted the necessity of constant vigilance and robust security measures in the face of evolving cyber threats.

Bitwarden users targeted by deceptive Google Ads

Bitwarden users faced a phishing attack, initiated through a seemingly innocuous Google ad. This ad, deceptively titled “Bitward - Password Manager,” directed users to a fraudulent website, expertly mimicking Bitwarden's login page. The deceptive URL, “appbitwarden.com,” cleverly led to “bitwardenlogin.com,” a clone of the legitimate site. From there users were tricked into handing over their usernames and passwords.

Passwordstate: a deceptive update attack

In April 2021, Passwordstate was a victim in a complicated cyber attack. A malicious DLL file, disguised as a software update, extracted sensitive user data and transmitted it to the attacker’s server. This was followed by phishing attacks, which told users to urgently download software to protect them and this further compromised user security.

2020 security study: eye-opening vulnerabilities

In 2020, researchers from the University of York put popular password managers under the microscope. Their findings were unsettling, to say the least. Vulnerable to phishing attacks, the absence of login attempt limitations, and the risk of credentials being exposed as clear text from the clipboard were just some of the red flags raised. This study was a wakeup call, highlighting the inherent flaws in relying on password managers.

The fundamental flaw behind passwords managers: passwords themselves

The recurring theme in all these incidents is the inherent weakness of passwords. No matter how sophisticated the manager, the basic premise of using passwords is flawed. Passwords, by their very nature, are susceptible to a range of attacks, from brute force attacks to phishing scams. With cyber attacks growing in strength, including sophisticated social engineering tactics and advanced malware, this further exposes the frailty and insecurity of passwords. 

The common advice given to users is to create complex, unique passwords for each account, but this is a burden on them. This leads to the prevalent, and risky, practice of reusing simple passwords across multiple websites. All of this highlights the pressing need to shift towards a more resilient and user-friendly method of authentication.

The case for passwordless MFA

Passwordless MFA does away with passwords altogether, eliminating the primary target of most cyberattacks. Instead, it relies on multiple layers of verification, making unauthorized access exponentially more difficult.

With passwordless MFA, you replace passwords with secure factors that are phishing-resist:

  • Local biometrics
  • Device-bound keys
  • Device security posture

Users no longer need to reset passwords or call the IT help desk because they got locked out. The access to application is faster and annoying one-time passwords and push notifications are done away with. 

Beyond Identity: securing authentication with simplicity

Switching to passwordless MFA with Beyond Identity streamlines the login process and significantly reduces security concerns associated with password use.

Beyond Identity makes implementing passwordless MFA straightforward and efficient. Our approach uses continuous authentication and is a seamless blend of convenience and robust security, keeping things smooth yet secure.

To explore how Beyond Identity can help you move away from insecure password managers, get a free demo.