Are data breaches good for password manager apps?
Jan 23, 2019
Why do people install password managers? Okay, duh. They want an easy way to manage their passwords. But what if there was another reason? What if one of the factors driving the success of apps like Dashlane and LastPass is a greater awareness of corporate data breaches by the general public? It’s not entirely implausible.
The past three years have seen an innumerable amount of corporate giants ensnared by catastrophic data breaches. These well-known (but unfortunate) titans of industry include Equifax, Uber, LinkedIn and Marriott Hotels. In each of these examples, news of the breach spread far beyond the niche technology press, and was covered by well-known mainstream publications and broadcasters.
Password manager apps being added to the app stores hit its height in 2016 on the whole (180), but Google Play had its most debut in 2017 with 92.
Apptopia looked at historial download figures from several of the biggest mobile password managers. We wanted to see if there’s a correlation between spectacular security snafus and password manager adoption.
Meet the contenders
Let’s get acquainted with the heroes of this blog post. Of course, I’m talking about the password managers we’re going to look at.
Why did we select these ones specifically? They’re amongst the biggest in terms of downloads, average DAUs (daily active users), and IAP (in-app purchase) revenue. One would assume that with larger activity numbers, it’ll be easier to observe meaningful shifts in usage patterns.
For each of these apps, we aggregated the figures across both the Google Play Store and Apple’s iOS App Store.
What’s interesting is that each of these statistics -- but especially download numbers -- fluctuate massively month-over-month. Take LastPass for example. In January 2018, it received a respectable 329,000 downloads. The following month, this nosedived to 270,000 downloads.
Similarly, DashLane was downloaded 173,000 times during December 2017. The next month, this number soared to an impressive 217,000 downloads -- a 25% increase.
Across our sample of apps, overall download numbers don’t appear to be seasonal. They shift dramatically from month-to-month, displaying no obvious pattern. Could it be the case that these figures are intrinsically linked to the cybersecurity news cycle?
On June 5, 2012, LinkedIn fell victim to a massive data breach. A hacker managed to gain access to the internal systems of the world’s biggest professional social network and proceeded to download the personal details of over 167 million users.
But wait, it gets worse. Four years later, the same leaked details ended up splashed across the dark web for any digital ne’er-do-well to access. On May 18, 2016, reporters from Vice’s Motherboard publication obtained a subset of the data from Leaked Source -- a paid search engine for stolen user data.
Matters were complicated massively by the fact that LinkedIn failed to use the most basic password security. Here’s where I have to get technical. Bear with me.
When a website handles passwords, it’s critical that they render them in a way that cannot be read by the site itself, or by any unwelcome third party. This is done through a process called hashing and salting. LinkedIn did the first bit, but failed to use a salt. The end result was it was trivial for any seasoned hacker (Get it? Seasoned? Sorry, couldn’t resist) to crack a password and read it in plaintext.
What does this mean? Essentially, if you’ve committed the cardinal security sin of using your LinkedIn password anywhere else, the risk of that account getting hacked is infinitely higher.
Like I said, it got worse. But what did this mean for the password manager industry?
Let’s first cast our eyes on Keeper. May 2016 was a markedly successful month for this password manager, as it almost doubled its download figures (300,000 versus 167,000 downloads in April 2016). Average DAUs improved modestly to 265,000, compared to 221,000 the previous month. Similarly, IAP revenue grew from $1,755,000 to $1,802,000.
Figures for LastPass are less impressive. Downloads jumped by a mere 12,000 in May compared to April, and increased by just 17,000. In-app purchase revenue was $581,000 compared to $556,000 the previous month. While there’s an increase in figures across the board, it’s far less dramatic than the one enjoyed by Keeper.
Download figures for Dashlane actually declined by over 7,000 during May 2016. Curiously though, the company saw a modest bump in daily active users (4,000 over the previous month), and a more significant bump in in-app purchases (an increase of $35,585 over April’s figures).
Marriott International is the world’s biggest hotel chain. On November 30, 2018, the company declared that hackers had managed to access the records of 500 million customers. The stolen data primarily consisted of biographical information, as well as passport details and encrypted credit card information.
While the hotel chain didn’t say that passwords were stolen, it did explicitly recommend that members of Starwood Preferred Guests (SPG), Marriott’s loyalty program, change their passwords. This advice was echoed in several mainstream publications, including the UK broadsheet newspaper The Telegraph, technology magazine of record Wired, and Business Insider.
The Marriott breach was arguably the biggest data breach of 2018, both in terms of people affected and potential damage inflicted. But is this enough to get people to download a password manager?
Let’s look at the numbers. Given the incident took place right at the end of November, we’re going to look at the download and usage numbers for December.
First up on our list is Keeper. Downloads increased slightly -- but only ever so -- in December, 2018 (139,000 versus 131,000, for a difference of 8,000). As for average DAUs, these actually declined by almost 7,000, while IAPs saw a barely noticeable bump of $1,200.
So, what about LastPass? Well, it’s a completely different story. Downloads soared to nearly 505,000 from a respectable 365,000. Average DAUs similarly saw a decent bump, going from 490,000 to 541,000. That’s a difference of 51,000. Unfortunately, those extra users didn’t really translate into more money. IAP volume remained fairly flat, increasing modestly from $111,000 the previous month to just over $125,000.
Finally, there’s Dashlane, which saw its downloads and active users decline slightly. IAP revenue took the biggest hit, going down 17%.
Looking at the numbers, it’s clear to see that our selection of password managers enjoyed mixed fortunes, and didn’t really benefit from a “breach bump.” This is especially surprising considering that just five days after Marriott fessed up to its own security woes, hugely popular Q&A site Quora announced that hackers had made off with the details of 100 million of its users.
Everyone knows Uber. But prior to November 22, 2017, not everyone knew that the controversial ridesharing company had fallen victim to a security breach in late 2016 that ensnared 57 million users, including over 600,000 of its partner drivers.
Why was it such a secret? Well, Uber’s then-CEO Travis Kalanick paid the hackers a hefty ransom to keep quiet. It was only when Dara Khosrowshahi took the reins of the company that it declared the hugely damaging incident to the public.
With news of the breach circulating far beyond the insular tech world, surely people will take proactive action to protect themselves, right?
Sadly, it doesn’t look that way, at least not in any dramatic fashion. As with the Marriott International breach, download and revenue figures are a bit of a mixed bag.
As with before, we’ll first look at Keeper. Looking at the 30 days prior to and post news cycle, IAP revenue increased by a smidge ($1,293), but downloads boosted 12.5%. Moving on to LastPass, we see downloads also got a small boost of 5.5% but revenue fell from $117,390 to $106,275. The popular Dashlane password manager experienced a similar fate. Revenue essentially stood still and downloads actually fell from 311,259 to 300,076.
Maybe it’s something else?
In this post, we looked at three of the most catastrophic data breaches in recent years. Did we find a connection between security incidents and uptake of mobile password managers? There's no concrete link. Dashlane declined in month over month downloads after each breach but its top competitors did gain. Revenue is much less correlated.
So let’s look elsewhere. One thing to consider is that mobile password managers don’t have the same appeal as their desktop accounts. After all, if you’re storing multiple complex passwords for corporate IT systems, chances are high you’ll log into these accounts from a traditional desktop or laptop computer.
Another thing to consider is that many of the companies behind the biggest password managers right now are advertising heavily. Dashlane, for example, closed a $10M debt funding round last year. Much of that cash has been spent on a significant influencer marketing campaign focusing on the YouTube community.
It stands to reason that a well-funded and well-executed marketing campaign could break Dashlane from the shackles of the security news cycle, and help attract a new cadre of users.
I hate to end an article with more ambiguity, so let’s make one thing clear: if you’re not using a password manager, you’re doing a bad job of protecting yourself online. Not only do they make it easier for you to use strong, unique passwords, they’ll make you more efficient by allowing you to log into websites at lightning speed.
Find a reputable one that works for you, and then use it!