Hackers are targeting your password manager app

Do you use 1Password, LastPass, NordPass, or any other password manager? You're not alone. According to a 2023 Security.org study, roughly one in three people use a password manager to secure their login information. Password managers make logging in to your apps, social media accounts, and other online services easy.

They're also increasingly being targeted by cybercriminals.

According to a new report from cybersecurity firm Picus Security, cyberattacks on password managers and similar services, such as browser-stored credentials, have tripled compared to the previous year. The firm detailed these findings in its Red Report 2025.

Researchers found that out of more than a million malware variants, 25 percent of all malware targeted password managers or other credential storage services.

"For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework," Picus Security said, referencing an industry framework for classifying cyberattacks.

According to Picus, cybercriminals are increasingly deploying multi-stage attacks, which the firm's researchers have dubbed "SneakThief." SneakThief describes a new type of malware attack that involves "increased stealth, persistence, and automation." These new malware attacks contain dozens of "malicious actions," which aid the hacker in gaining access and exporting data without getting caught.

With so many apps and online platforms to manage logins for, more internet users have adopted password storage utilities to help manage them all. But, in turn, hackers have adjusted their malicious campaigns to shift their focus towards password managers. And it makes sense. Why would a hacker put their time and effort into stealing a target's login credentials to just one service when they could steal all their login credentials? Why steal a key to open just one door when you can take the master key and access everything?

"Threat actors are leveraging sophisticated extraction methods, including memory scraping, registry harvesting, and compromising local and cloud-based password stores, to obtain credentials that give attackers the keys to the kingdom," said Picus Security co-founder and VP of Picus Labs, Dr. Suleyman Ozarslan. "It’s vital that password managers are used in tandem with multi-factor authentication and that employees never reuse a password, especially for their password manager."