40 million customers susceptible to stolen information with these 11 password managers

IT and safety specialists have lengthy advisable utilizing password managers to maintain your login information protected and in a single place. They’re usually thought-about dependable and safe, however a typical vulnerability has now been found in 11 suppliers that hackers can exploit. (See our personal suggestions for essentially the most reliable password managers.)

This vulnerability was found by safety researchers from The Hacker Information. The next password managers have affected browser extensions which are based mostly on DOM (Doc Object Mannequin):

• 1Password
• Bitwarden
• Dashlane
• Enpass
• iCloud Passwords
• Keeper
• LastPass
• LogMeOnce
• NordPass
• ProtonPass
• RoboForm

This record consists of a number of the best-known and most generally used password managers, affecting an estimated 40 million customers worldwide. Excessive warning is subsequently suggested. The safety flaw hasn’t but been patched by most of those suppliers, so information theft can nonetheless happen as of this writing.

How hackers get your passwords

The vulnerability in query is named clickjacking. Attackers can lure unsuspecting customers to pretend web sites that imitate actual web sites and look deceptively actual, besides the fakes ones comprise invisible components.

In some circumstances, customers can inadvertently change on their password supervisor with a single false click on, which then tries to enter entry information mechanically. Hackers monitor these tried entries and intrude, having access to the password supervisor and taking up saved passwords. The assault normally goes unnoticed as customers merely shut the affected web page and obtain no warning that somebody has gained entry to their password supervisor.

So why do these password managers now run the danger of changing into a gateway for assaults utilizing this technique? It’s because of the DOM, which accommodates a vulnerability that enables for this type of assault.

By the way, not solely passwords but in addition different varieties of delicate information could be intercepted on this approach, together with saved bank card particulars, names, addresses, phone numbers, and extra, which may then be used for phishing assaults.

Though the vulnerability was reported to affected suppliers again in April 2025, slightly below half of them have responded to the warning. Bitwarden has offered a brand new model of its plugin that addresses the issue.

Methods to shield your self

There’s no one-size-fits-all answer to guard your self from clickjacking. As at all times, it’s necessary that you simply by no means click on on unknown or surprising hyperlinks, even when they result in supposedly official web sites. It’s at all times most secure to manually open up a brand new tab in your browser and immediately navigate to the location, or use your individual trusted bookmarks for fast entry.

Should you use a Chromium-based browser (which is most browsers nowadays) and a password supervisor, it’s advisable that you simply change your password supervisor’s auto-fill settings to “on-click.” This is a crucial step that helps stop passwords from being entered or accomplished mechanically with out you first confirming intent.

Alternatively, you may wish to deactivate the automated completion of e-mail addresses (and different information) within the browser settings beneath the “Autofill and passwords” part.