Password managers are an essential tool for anyone who uses the internet. Unless you plan to use password123 as the password for all your accounts, you’ll need a way to store and manage a growing list of credentials. LastPass is one of the biggest names in this industry, but after the 2022 LastPass breach, I started trusting password managers a bit less.
However, LastPass isn’t an isolated case. Other password managers have had their own share of exploits, and there are very current vulnerabilities that lurk in the corner. These exploits and threats are revealing, exposing the fact that the very tools built to protect us can become single points of weakness.
Remember the LastPass breaches?
One breach would have been unacceptable
The 2015 LastPass breach felt manageable, especially since encrypted vaults and hashed master passwords were not directly exposed. As per the LastPass press release, they reassured us that strong cryptography meant there was little likelihood of real damage. But it wasn’t a one-off mistake.
In 2022, we saw an escalation of LastPass’s security woes. LastPass acknowledged this new breach. By gaining access to a developer’s account, attackers were able to extract proprietary code and later steal backups containing customer vault data. Luckily, the vaults were encrypted, but sadly, the metadata wasn’t, and URLs, folder names, and hints became tools in the attackers’ hands. So, even though your passwords were encrypted, vital details of where you had accounts were exposed.
Like many people, in 2022, I was still using LastPass and obviously had not learned my lesson from the 2015 ordeal. However, it was how the company handled disclosure that made me lose all trust. Communication was piecemeal, and we only received substantial updates after researchers suspected the breach was more extensive than initially thought. LastPass’s delayed communication felt like a betrayal of trust.
This was my breaking point: multiple breaches and opaque communication were too much. However, it made me reflect more deeply on password managers, not just LastPass.
It wasn’t just LastPass
Passwordstate and Norton LifeLock also experienced breaches
In 2021, Passwordstate suffered a supply chain attack. In this attack, users were instructed to update the software, but in the process, they received a build laced with malware. This became a nightmare because of the attacker’s high-level access to sensitive data. At the time, News reported that the company pushed its users to reset passwords, which is a standard process. However, others “were met with silence from Click Studios, while others were asked to sign strict secrecy agreements when they asked for assurances about the security of the software,” which is not.
Then, in 2023, Norton LifeLock faced a breach. According to News, this breach compromised thousands of user accounts through credential stuffing. In this case, it wasn’t a vault breach, but a compromise triggered by reused or weak passwords. Still, it was no less damaging. A lot of loyal customers who had trusted this household security brand found their accounts compromised despite the company’s protections.
All the events had slightly different causes: one was a product of lax development practices, while the other was weak defenses against mass exploitation. However, there is a common denominator: your password manager can act as a single point of failure if compromised.
Side-stepping vaults
The idea of an impenetrable vault is misleading
Typically, we assume that password managers are impenetrable fortresses. Technologies like zero-knowledge encryption and industry-grade cryptography back up the security claims. Cryptographic standards like AES-256 and PBKDF2 make brute-force attacks on master passwords impractical. These are all true, but what we ignore is that an ecosystem can fail in places the math can’t protect.
Metadata, browser extensions, or developer practices are examples of elements that vault encryption won’t protect. With the LastPass breach, unencrypted URLs were all the attackers needed to know which banks’ victims used, and Passwordstate’s case exploited the update mechanism. An attacker doesn’t always need to break the vault if they can lay their hands on other data points.
Another issue is psychological blind spots. We often assume the password manager’s vault is a guarantee, forgetting about other potential attack surfaces, such as autofill, sync, and integrations. Believing in an impenetrable vault is a danger on its own because that absolute faith takes the place of vigilance and replaces it with blind trust. This is something an attacker understands too well and now exploits.
You should remember that your password manager is another piece of software, prone to the same problems that other software may experience: bugs, supply chain issues, and even human error.
The modern threat
Exploiting autofill and invisible clicks
Marek Tóth’s 2025 research showed password managers are vulnerable even without a vault breach. This new clickjacking attack overlays elements on your webpage, and when you attempt to close a pop-up, you’re actually unknowingly clicking an autofill action into a malicious form.
What makes this scarier is that Tóth demonstrated this exploit against 11 password managers, including highly rated services like Bitwarden, 1Password, Apple, and Passwords. It’s a sophisticated attack that tailors its overlay in real time to the password manager you use. And just like that, the very convenient autofill feature of password managers has become the object of a new, sophisticated kind of attack.
The universality of this attack is what terrifies me. Every brand tested showed at least one exploit path, and none escaped unscathed in this specific test scenario. This wasn’t due to a single vendor’s negligence; it exploited the assumption that convenience and security can coexist. A breach will steal the headlines, but this quiet design flaw can continue for years, causing damage and remaining unnoticed.
Trust isn’t a feature you can patch
For years, I’ve watched these patterns unfold. In all of it, trust has been the casualty. There will always be security fixes, and password managers will even rotate keys. They’ll issue patches, but the sense of safety I once felt can’t be patched. The only way to rebuild confidence is through transparency.
That’s why I lean toward open-source code—software that can be audited and where assumptions can be challenged. This way, trust isn’t earned through promises but through visibility. I switched to an open-source offline password manager. However, it doesn’t eliminate all the issues. It’s less convenient, and the learning curve is steeper. However, what it does is shift power back to you; that’s a starting point.
