What actually happens in a password manager breach

A password manager breach is one of the more unsettling security scenarios to reason about. The company specifically trusted to protect all your credentials has itself been compromised. The natural response is either 'everything is exposed' or 'it was encrypted so I am fine' — both of which are too simple. The actual consequences depend on what was taken, what was encrypted, and what the attacker can do with what they have.

Breaches of password manager companies differ from breaches of ordinary websites in an important way. When a retail website is breached, the attacker may obtain payment data, email addresses, and hashed passwords for that one service. When a password manager is breached, the attacker potentially obtains an encrypted bundle of credentials for every service the user has accounts on. The blast radius of what might be inside is much larger — the question is whether the encryption holds.

Not all password manager breaches are equal. A breach that exposes encrypted vault backups plus plaintext metadata is different from one that exposes only billing information. A breach during a period when iteration counts were inadequate is different from one when modern KDF parameters were in use. The specific technical details determine the practical risk.

The assumption 'my passwords were encrypted so they are safe' is directionally correct but incomplete. Encrypted vault data requires the attacker to crack the master password before accessing credentials. Whether this is practical depends on the master password's entropy and the KDF iteration count protecting it. Strong master password plus modern iteration counts means the vault contents are practically safe. Weak password or low iterations means the vault contents are at risk given enough time and compute. 'Encrypted' shifts the problem to the master password; it doesn't eliminate the problem.

The assumption 'if they can't read my passwords, the breach is harmless' misses what lives outside the encrypted vault. URL metadata — which websites each vault entry belongs to — is stored in plaintext by most password managers. In a breach, this produces a map of every service the user has accounts on. This enables targeted phishing, informed credential stuffing against those specific services, and social engineering using the known account list. These attacks operate independently of whether the encrypted passwords are ever cracked.

The assumption 'I would know if my accounts were being accessed' is unreliable. Credential stuffing — testing stolen username/password pairs against services — is designed to look like normal login traffic. Account takeover often precedes visible damage by days or weeks. Unauthorised access to banking or email may be used for reconnaissance before any transaction or email is visible to the account holder.

The technical sequence in a vault-data breach: attacker obtains encrypted vault backups and associated metadata from the provider's servers. The encrypted content requires offline brute-force against the master password to access. The metadata — URLs, item counts, account email — is immediately readable. Attacker prioritises high-value targets: people whose URL metadata suggests access to financial services, corporate systems, or cryptocurrency. For those targets, the master password crack attempt begins immediately.

The time-bounded nature of credential exposure: encrypted vault data has a decay curve. As master passwords are changed and credentials are rotated, the stolen data loses value. An attacker has the highest leverage in the period immediately after a breach, before users are aware of the situation and before remediation begins. LastPass's delayed and staged disclosure — between August and December 2022 — extended the window during which users were unaware their vault data had been taken.

The permanent nature of metadata exposure: URL metadata, once taken in plaintext, cannot be recalled. Changing password managers, rotating credentials, and changing master passwords all address the credential risk. None of them change the fact that the attacker knows which services you use. This information is useful for future phishing campaigns and social engineering attempts regardless of whether any vault data is ever decrypted.

This guide discusses vault-data breaches — incidents where encrypted credential content and associated metadata are taken. Not all security incidents affecting password manager companies produce this outcome. Infrastructure incidents, billing data exposures, and developer environment compromises have different risk profiles. The specifics of each incident matter.

The risk model described here addresses technical attack vectors. Social engineering and phishing attacks using information from a breach are harder to quantify and depend on individual circumstances. Users in high-visibility professional roles, those with known financial assets, or those whose account lists suggest particularly valuable access may face elevated targeted risk beyond the general population affected by a mass breach.