Learn > Blog

Who’s got my passwords now?

April 30, 2024

It wasn’t too long ago that the only password you needed to remember was your internet banking, and maybe a few others to access systems at work. Now our daily routine includes accessing multiple password protected platforms and applications, including social media accounts, financial services, shopping portals, in fact, almost every connected device we use has a password.

It’s widely accepted that passwords need to be unique to prevent hackers accessing sensitive data, so this means that the average person has over 38, and some individuals have hundreds.

As a result, password management solutions have become an essential tool for managing our online identities and protecting our sensitive data. Despite their critical role in maintaining our cybersecurity, they are not foolproof as some of the solutions themselves have been victims of attacks. It’s difficult to get one’s head around the implications of this. It’s akin to a security company handing the keys of your house to a burglar and then providing him with a truck to haul away your worldly possessions.

LastPass, one of the world’s biggest password managers with 25 million users, admitted in a blog in December 2022, that an incident the company first disclosed in August of the same year, opened the door to an “unauthorised party” allowing them to steal customer account information and sensitive vault data.

The breach was not the first, they have had a number of incidents over the years.

In 2015, they announced that they had detected suspicious activity on their network and that some user data, including email addresses, password reminders, and authentication hashes, may have been compromised.

In 2016, they notified its users of a vulnerability that could have allowed an attacker to extract user passwords from the browser extension.

In 2017, they reported a security incident in which email addresses, password reminders, server salts, and authentication hashes were compromised. The unauthorised party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses and steal customer vault data.

Lest we single LastPass out for admonishment, they are not the only password management company that has had breaches.

Other companies that would rather not be on this list include Dashlane, OneLogin, Kaseya and Passwordstate. The two latter companies were victims of a ransomware attack, and $70k and $65k was demanded retrospectively. Kaseya did not disclose whether or not they paid the ransom, and Passwordstate said they did not pay and had to rebuild their systems from scratch.

How are these companies hacked?

One of the primary reasons why password management solutions are targeted by hackers is because of the value they hold. Password managers are essentially a gold mine of valuable information, containing login credentials and other sensitive data for multiple accounts and websites. This makes them an attractive target for hackers who are looking to steal this information for financial gain or to launch further cyberattacks.

As with most cyberattacks, the latest breach at LastPass was caused by human error. One of their engineers failed to update Plex, a media streaming service (who were also hacked on August 24th 2022) on their home computer. A sobering reminder of the dangers of failing to keep software up-to-date and it also brings into sharp focus the vulnerabilities of remote working and the increasing trend of BYOB (Bring your own device)

Companies are living in a fool’s paradise if they believe their security systems are robust, but allow employees to use their own devices on unprotected networks, download all manner of software and click links with abandon.

Every click is a potential threat, every device is a potential back door into a company’s network.

Many password management solutions are hosted in the cloud, which can make them vulnerable to data theft or ransomware attacks. In some cases, they may have weak security measures in place, making them easier to exploit by attackers. For example, a compromised administrator account or a security vulnerability in the software used by the password manager could allow attackers to gain access to the stored passwords.

What about the customers?

The biggest losers when these companies are hacked are the customers. Their passwords will have been compromised, giving hackers access to all their accounts. With access to personal information such as names, email addresses, and other identifying data, they could use the information for identity theft and a litany of other malicious purposes.

Also, If the password management company’s services are disrupted by the hack, customers may be unable to access their passwords and other information, which could cause significant inconvenience, financial loss and potential security risks.

A hack or data breach can erode customers’ trust in the password management company, particularly if the company does not handle the incident transparently and effectively.

This loss of trust can have long-term implications for the company’s reputation and customer base. In a recent report by Passwordmanager, 65% of Americans don’t trust their password manager, for this very reason.

What to do if your password manager company has been hacked

You should immediately change your master password, change all of your other passwords and monitor key accounts such as financial services, for suspicious activity. You should also follow any guidance or instructions provided by the password management company regarding the breach as (ironically) they will be in the best position to help you safeguard your passwords.

If you haven’t done this already, enable two-factor authentication if your password manager supports it, as an additional layer of security.

While it’s not much use after the fact, you should follow best practices for password management, such as using strong, unique passwords for each account, and enabling two-factor authentication wherever possible. Updating your passwords regularly is also recommended because sometimes it takes companies months to detect a breach, you can’t assume that if they haven’t reported a breach your account is secure.

While password management solutions are valuable tools for managing our online identities, they are not immune to being hacked. By being aware of the risks and taking appropriate measures to protect ourselves, we can continue to use password managers safely and securely.