Password Managers Under Fire and Why Your SME Clients Can’t Hide in Plain Sight

I’ve been digging through this week’s security news, and honestly, it feels like we’re watching some of our fundamental assumptions get challenged. Between password managers showing cracks in their armor and small businesses still thinking they’re invisible to attackers, there’s a lot to unpack here.

Password Managers: The Tools We Trust Most Are Getting Tested

Let’s start with what might be the most unsettling news for those of us who’ve been preaching the password manager gospel. Researchers just published findings showing that major cloud-based password managers—including Bitwarden, Dashlane, and LastPass—are vulnerable to password recovery attacks under specific conditions.

Now, before anyone panics and goes back to “Password123!”, let’s put this in perspective. The researchers, led by Matteo Scarlata and his team, identified 25 different attack vectors that could range from simple integrity violations all the way up to complete organizational vault compromises. That’s a pretty wide spectrum, and the “under certain conditions” part is crucial here.

What worries me isn’t necessarily that these vulnerabilities exist—any complex system will have edge cases. It’s that password recovery mechanisms, by their very nature, have to balance security with usability. When someone forgets their master password, there has to be a way back in. But every recovery path is potentially an attack path.

The timing is particularly interesting given that we’re still dealing with the fallout from previous LastPass breaches. This research suggests the problem isn’t just about one company’s implementation—it’s about fundamental challenges in how we approach password recovery in a zero-knowledge architecture.

The Eurail Breach: When Travel Data Becomes Dark Web Currency

Speaking of data ending up where it shouldn’t, Eurail confirmed that traveler data stolen in an earlier breach is now being sold on the dark web. For those who might not be familiar, Eurail operates access to 250,000 kilometers of European railways—that’s a massive network touching millions of travelers.

What strikes me about this incident is the lifecycle we’re seeing play out. Breach happens, company investigates, and then months later the data surfaces for sale. It’s become such a predictable pattern that we almost treat it as routine, but think about what that data represents: travel patterns, personal information, payment details. In the wrong hands, that’s not just identity theft material—it’s intelligence about people’s movements and habits.

This is exactly why we need to keep hammering home the message that breach response isn’t over when you’ve patched the hole and sent the notification letters. The real impact often comes later, when that data gets weaponized.

Small Businesses: Still Playing Hide and Seek with Reality

Here’s something that continues to frustrate me: the persistent myth that small and medium enterprises can fly under the radar of cybercriminals. NCSC’s Richard Horne just had to come out and explicitly warn SMEs that attackers don’t care about business size.

I’ve seen this attitude firsthand when talking to smaller clients. “We’re too small to be a target” or “Who would want our data?” But here’s the reality—automated attacks don’t discriminate based on company size. Ransomware operators aren’t sitting around researching Fortune 500 companies; they’re casting wide nets and hitting whoever they can.

The NCSC warning comes at a critical time because SMEs often lack dedicated security staff and budget for enterprise-grade solutions. But that doesn’t mean they should throw up their hands. Basic hygiene—regular updates, employee training, backup strategies—can prevent the majority of successful attacks.

What’s particularly concerning is that SMEs often become stepping stones to larger targets. Your small accounting firm might not seem valuable until attackers realize you have access to dozens of client networks.

Android 17: Security by Default Getting Stronger

On a more positive note, Android 17 Beta is pushing forward with stronger secure-by-default design for both privacy and app security. While we don’t have all the technical details yet, this continues Google’s trend of making security the default rather than an opt-in feature.

This matters because most users never change default settings. When security features require active user engagement, adoption rates plummet. By building security into the foundation, Android is acknowledging that user behavior isn’t going to change—so the platform has to compensate.

What This Means for Our Daily Work

Looking at these stories together, I see a few themes emerging. First, our trusted tools aren’t infallible, and we need to plan accordingly. That doesn’t mean abandoning password managers, but it does mean understanding their limitations and having contingency plans.

Second, the threat landscape really doesn’t care about company size or industry. Every organization needs to take basic security seriously, and those of us in consulting roles need to keep making that case to smaller clients.

Finally, the shift toward secure-by-default design in platforms like Android gives me hope that we’re slowly moving away from expecting users to make perfect security decisions every time.

We’re not in a crisis, but we are in a period where some fundamental assumptions are getting stress-tested. That’s not necessarily bad—it’s how we improve.

Sources

• Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers
• Eurail says stolen traveler data now up for sale on dark web
• SMEs Wrong to Assume They Won’t Be Hit by Cyber-Attacks, NCSC Boss Warns
• Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security