Turns out even LastPass, a service promoted as a password "vault," might be putting its users at risk of being hacked. A security researcher with an established record of tracking down security flaws has found a so-called zero-day hole that could let hackers remotely break into LastPass' millions of accounts.

It takes only a visit to a malicious website to become a victim. White hat researcher Tavis Ormandy was first to identify the problem, publishing a tweet. Ormandy followed up with a tweet saying that he sent a full report to LastPass and next up will look at a rival password manger, 1Password.

At ShmooCon on Saturday, Sean Cassidy, the CTO of Praesidio, demonstrated a clever attack against LastPass, which is possible thanks to a security trade off and easily spoofed UX elements.

Cassidy’s presentation at ShmooCon outlined a clever Phishing attack against LastPass users, which is made possible due to design elements within the password manager’s core functions. The attack, which doesn’t require any special skill or circumstance to accomplish, enables an attacker to steal a LastPass customer’s entire existence, as everything stored by the LastPass service is exposed.

A series of flaws, bad security practices and design issues exposed the passwords of LastPass users to various types of attacks, researchers have demonstrated.

LastPass is a popular single-sign-on and password management service that is reportedly used by more than 10,000 organizations. LastPass says it has no access to user data and boasts features such as local and secure encryption, secure encryption keys, and secure storage. LastPass’ features and design should in theory make it difficult for an unauthorized party to gain access to passwords, whether they are trying to obtain the information from the user or from the company’s systems.

An online password manager can make your life much easier by automatically entering individual passwords for each website and service you visit. It is a very convenient tool – unless it is hacked.

In that instance, by discrediting a single password, cyber criminals can receive access to invaluable information, including banking credentials. LastPass, a popular password manager, has recently disclosed a network breach. Attackers compromised user email addresses, password reminders, per-user salts and authentication hashes. The passwords themselves were not compromised, as the service doesn’t store them in its cloud.