Can a password manager itself get hacked?
The companies behind them can be breached; it happened to LastPass in late 2022. But with a well-built zero-knowledge manager, your passwords stay encrypted, and cracking them depends on the strength of your master password. Pick an audited service and make that master password long.
The honest answer is yes: security companies get attacked too. The best-known example is LastPass, where attackers stole encrypted vault backups in late 2022. That incident, and especially the rocky communication around it, is why we only recommend LastPass to people already settled there. The lesson: the difference is not whether a company gets attacked, but what an attacker actually obtains and how the company responds.
With a properly built zero-knowledge manager, the loot is unreadable without your master password. Its strength then decides everything: a long passphrase withstands even targeted cracking of stolen vaults. 1Password's extra Secret Key makes that route practically impossible, and open source services like Bitwarden and Proton Pass let the whole world and auditors inspect their architecture.
Keep the alternative in mind, because it matters more than the risk: without a manager you reuse passwords, and then every webshop breach is immediately your problem. An audited manager with a strong master password and 2FA remains the safest place for your digital life.