Password managers are great for creating and storing quality passwords, but they could be a gold mine for threat actors if compromised.
Password manager use is growing every day and for a good reason. Users employ them to create and store unique and complex passwords, preventing the problematic practice of simple, guessable, and recycled passwords. Users only need to memorize a single master password to access everything. Unfortunately, this means that there is also a single point of failure. If a threat actor gains access to a person’s password manager, the threat actor can access every password stored.
Underground actors know the value of a compromised password manager, and it appears that their interest is growing. Since December 2022, the number of monthly mentions of popular password managers has risen 176% higher than the average from January to November 2022 (Figure 1).
Figure 1. General mentions of popular password managers across the underground (excluding major access markets) from the beginning of 2022 onward.
This spike is largely in part to the second breach of the LastPass password manager, which was disclosed in December 2022. Many of these mentions represent discussions of this breach. Others, however, arose in the context of a desire to replicate it.
It is also extremely noteworthy that this trend is paralleled on access markets, which sell access to compromised endpoints and any logged-in resources contained within. We observed a similar jump in the number of credentials for sale - a massive 400% increase in the monthly average from December onward (Figure 2).
Figure 2. Credentials for sale on access markets related to popular password managers from the beginning of 2022 onward. These are likely to be master passwords.
While password managers listed in endpoint markets were not specifically targeted--they were caught up in a larger compromise of an endpoint--it demonstrates that their increased use leads to increased exposure.
Targeting password managers
We also discovered that threat actors are seeking to specifically target password managers. Stealer malware includes the capability to target password managers (Figure 3), and threat actors are adding compromised password managers to the growing list of stolen data that they sell in underground marketplaces (Figure 4).
Figure 3. An example of stealer malware that is being advertised and built to target password managers.
Figure 4. Threat actors discussing stolen goods for sale, including compromised password manager details.
Conclusion
Threat actors are increasingly targeting password managers due to increased use and the potential value that they hold. Password manager vendors must ensure that their software and systems are secure to protect their users’ password vaults, and implement measures to detect if password data leaked to the underground. Meanwhile, users of password managers, must ensure that their master passwords are strong, avoid accidentally installing malware, and use multifactor authentication when possible for an additional layer of security.