Has Keeper Ever Been Hacked?

No. Keeper® has never been hacked or breached. In this article, we’ll examine why millions of consumers and thousands of businesses around the world trust Keeper to protect their passwords and other private information.

What Is Keeper Security?

Keeper Security is transforming the way organizations and individuals protect their passwords and sensitive digital assets by significantly reducing password-related data breaches and cyber threats. 

Keeper is the leading provider of zero-knowledge security and encryption software covering password, passkey, secrets, connection and privileged access management, as well as dark web monitoring, digital file storage, encrypted messaging and more. We protect both consumers as well as businesses of all sizes across every major industry sector. Keeper holds the longest-standing SOC 2 and ISO27001 certification in the industry, and we are FIPS 140-2 and FedRAMP Authorized.  

Keeper has been named PC Magazine’s Best Password Manager and an Editors’ Choice, Best Overall Password Manager by U.S. News & World Report, G2 Enterprise Leader, Hot Company in IAM, Most Innovative in Endpoint Security and Cutting Edge in Security Company of the Year. Keeper has more than 275,000 5-star reviews in the app stores.

Keeper for Consumers & Families

The Keeper Password Manager for consumers and families stores all of your passwords, MFA codes and a range of other sensitive data in a secure digital web vault with the ability to autofill your login credentials on all of your websites and apps. Our consumer solutions utilize the same proprietary zero-knowledge encryption as our commercial products, putting enterprise-grade security into the hands of consumers. Only the user can access and decrypt their stored passwords and files. Nobody else can access our users’ master passwords, encryption keys or vault contents – not even Keeper’s own employees.

Keeper for Organizations

Keeper’s enterprise password management and security platform:

• Provides each employee with a secure, encrypted digital vault in which to store their passwords, files and other sensitive data. Employees can access their vault from virtually any device and from all major web browsers, automatically generate unique, complex passwords for all of their accounts and automatically fill their login credentials into all of their sites and apps.
• Gives IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies across the entire organization, including password complexity requirements, Two-Factor Authentication (2FA), Role-Based Access Control (RBAC) and other security policies.

Is Keeper Safe to Use?

Keeper is entirely safe to use. Keeper’s own employees use our password manager internally to protect company passwords and data and securely share files.

Keeper is a zero-trust and zero-knowledge security provider. All encryption and decryption occur only on the user’s device upon logging into the vault, which means that the Keeper user is the only person who can encrypt and decrypt their data.

Keeper’s secure, reliable cloud vault is protected by APIs, which are validated through authorization by the client device. The client retrieves a session token upon login and sends it with each API call. The session token is tracked on the server. Login is performed either by a private Master Password or SAML 2.0 Single Sign-On (SSO) authentication.

When using a master password to log in, the client device derives a 256-bit authentication key using PBKDF2-HMAC-SHA256 and a random salt. An authentication hash is generated by hashing the authentication key using SHA-256. To log in, the authentication hash is compared against a stored authentication hash on the cloud security vault. After login, a session token is generated on the server and sent to the client to be used by the client device for subsequent API requests. The session must be active to allow continued use of client-to-server communications.

Keeper utilizes FIPS 140-2 validated encryption modules to address rigorous government and public sector security requirements. Keeper’s encryption has been certified by the NIST CMVP and validated to the FIPS 140 standard by accredited third-party laboratories. 

Additional details regarding Keeper’s authentication and encryption model can be found in our online knowledge base.

Keeper provides support for the most popular and secure 2FA methods available: SMS, TOTP-based Authenticator apps like Google or Microsoft Authenticator, RSA SecurID, DUO Security, Keeper DNA (wearable device authentication with Apple Watch and Android Wear devices) and FIDO2 WebAuthn devices like Yubikey. Organizations can enforce 2FA using Keeper’s Role-Based Enforcement Policies.

Has Keeper Ever Been Hacked?

No, Keeper has never been hacked. In 2017, a security researcher found a bug in the Keeper Browser Extension, which is a separate application from the Keeper Desktop app. We patched the bug within 24 hours of confirming it, deprecated previous versions of the Keeper Browser Extension and reported the incident on our blog. We followed up with a second blog further explaining the situation to our customers and assuring them that there was no reported or actual security breach or loss of customer information in connection with this bug.

A lot has changed since 2017! Keeper has partnered with Bugcrowd to manage our bug bounty and vulnerability disclosure program (VDP). The Keeper Security VDP can be found at https://bugcrowd.com/keepersecurity.

Further, Keeper began working with world-renowned leader NCC Group and CyberTest to perform quarterly pen testing. The results of our quarterly pen tests are available to our business customers upon execution of a mutual Non-Disclosure Agreement (NDA). If your organization would like a copy, please contact our sales team.

Keeper also adheres to very strict internal security practices that are regularly audited by third parties to help ensure that we continue to develop secure software and provide the world’s most secure cybersecurity platform, including the following:

• Keeper uses GitHub vulnerability scanning to monitor for vulnerabilities in dependencies and CodeQL for automated source code analysis. 
• Keeper performs SAST/DAST using Github Enterprise built-in CodeQL tools, as well as periodic testing with Synopsys / Black Duck. Keeper’s engineering team reviews the static analysis output to determine valid findings.
• Keeper embraces and incorporates the best practices and recommendations provided in the OWASP Developer’s Guide and OWASP Cheat Sheet Series to implement and enhance our secure software engineering. Keeper utilizes the OWASP Testing Guide and/or OWASP Code Review Guide to find and mitigate vulnerabilities in our service/application.
• Keeper performs all software development in-house, on local development workstations. We do not give third parties technical access to our systems.
• Each project typically consists of a GitHub repository, a Jira project, a Kanban board and a GitHub Actions build pipeline. As software is developed, the GitHub repo is updated with regular commits. Automated GitHub Actions builds are either on commit or in regular dedicated build intervals. Jira tickets and Kanban boards are used to organize project development.
• Prior to QA acceptance, all source code undergoes peer review from the team lead, which includes security checks, unauthorized access, data injection attacks, etc. 
• Hardening and customization of server OS, web servers, app servers, DB servers are standardized using configuration templates and scripted API calls to Amazon AWS.
• Keeper performs monthly and daily vulnerability scanning of Keeper’s system infrastructure. 
• Keeper performs both internal and external penetration tests on a regular basis. Penetration tests are performed on a monthly basis using a combination of third-party services and internal tools and systems.
• Critical vulnerabilities are patched within 48 hours, and non-critical (medium) vulnerabilities are patched within 10 business days.

Keeper Certifications and Compliance

Keeper is the most secure, certified, tested and audited password security platform in the world. Keeper holds the longest standing SOC 2 and ISO 27001 certifications in the industry. Keeper is FedRAMP and StateRAMP Authorized and is certified by TrustArc for online privacy according to the Data Privacy Framework (DPA). Business customers may obtain copies of our SOC 2 and ISO 27001 reports by contacting our sales team.

Keeper is compliant with the GDPR, CCPA, PCI DSS and HIPAA, and we are U.S. Department of Commerce Export Licensed Under EAR. We comply with all local regulatory data security requirements and are certified by TrustArc for online privacy. 

The GDPR identifies two entities that may process personal data. A data controller decides which data to collect and what processing of personal data is done. A data processor acts at the direction of a data controller to collect, store, retrieve and/or delete personal data. Keeper Security is a data controller when we sell our password manager directly to consumers. We are a data processor when we sell to businesses, who in turn would be considered the data controllers.

For more information on Keeper’s GDPR compliance, or to download GDPR download data processing agreements, please visit https://www.keepersecurity.com/GDPR.html

As a FedRAMP Authorized (Moderate Impact) cloud services provider, Keeper is well-positioned to help organizations comply with the International Traffic in Arms Regulation (ITAR), which regulates U.S. imports and exports of space- and defense-related articles and services.

For more information on our compliance certifications, please visit https://www.keepersecurity.com/security.html?s=compliance

Keeper Is FedRAMP Authorized

Keeper Security Government Cloud (KSGC) is FedRAMP Authorized on the Moderate Impact Level. Let’s talk about what that means.

The Federal Risk and Authorization Management Program (FedRAMP) was created by the U.S. government to achieve a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. Federal agencies are required to use FedRAMP-certified cloud services. 

To be listed in the FedRAMP Marketplace, cloud service providers (CSPs) like Keeper must undergo a months-long, rigorous authorization process that includes a highly detailed audit of all systems. Even after achieving FedRAMP Authorization, the CSP’s work isn’t done! The CSP must continuously maintain its systems to meet FedRAMP requirements. The FedRAMP program verifies this by requiring the CSP to provide monthly continuous monitoring deliverables to the Agencies using their service, including an updated Plan of Action and Milestones (POA&M) report and scan results/reports. Additionally, the CSP must also complete an annual security assessment.

While FedRAMP was designed for federal government agencies, choosing a FedRAMP and StateRAMP Authorized password management solution such as Keeper Security Government Cloud is also beneficial for state and local government agencies, as well as private-sector organizations in highly regulated industries.