Big and Bruno made a video to explain the technical details in more detail.
RoboForm, created by American Siber Systems, was one of the first password managers on the market currently has over 6 million users worldwide, according to a company report. In 2015, Siber appeared to fix the RoboForm password manager. In a cursory look, Grand and Bruno couldn't find any sign that the pseudo-random number generator in the 2015 version was using the computer's time, leading them to believe they removed it to fix the bug, though Grand says that they would have to investigate this more thoroughly to be sure.
Siber Systems confirmed to WIRED that it resolved the issue with version 7.9.14 of RoboForm, released on June 10, 2015, but a spokesperson declined to answer questions about how it did so. In a changelog the company's website only mentions that Siber's programmers made changes to “increase the randomness of the generated passwords,” but it doesn't say how they did this. Siber spokesperson Simon Davis says that “RoboForm 7 was discontinued in 2017.”
Grand says that without knowing how Siber fixed the problem, attackers may still be able to regenerate passwords generated by versions of RoboForm released before the fix in 2015. He also isn't sure if current versions contain the problem.
“I'm still not sure I would trust it without knowing how they actually improved password generation in more recent versions,” he says. “I'm not sure RoboForm knew how bad this particular weakness was.”
Customers may also still be using passwords generated before the fix with early versions of the program. It doesn't appear that Siber ever informed customers when it released fixed version 7.9.14 in 2015 that they needed to generate new passwords for critical accounts or data. The company did not respond to a question about this.
If Siber did not inform customers, it would mean that anyone like Michael, who used RoboForm to generate passwords before 2015 (and still uses those passwords) may have vulnerable passwords that hackers could regenerate.
“We know that most people don't change their passwords unless they're asked to,” says Grand. “Of the 935 passwords in my password manager (not RoboForm), 220 are from 2015 and earlier, and most are [for] sites I still use.”
Depending on what the company did to fix the problem in 2015, newer passwords could also be vulnerable.
Last November, Grand and Bruno withdrew a percentage of bitcoins from Michael's account for the work they did, then gave him the password to access the rest. Bitcoin was worth $38,000 per coin at the time. Michael waited until it rose to $62,000 per coin and sold some of it. He now has 30 BTC, now worth $3 million, and is waiting for the value to rise to $100,000 per coin.
Michael says he's lucky he lost the password years ago, because otherwise he would have sold the bitcoin when it was worth $40,000 per coin and missed out on a bigger fortune.
“The fact that I lost the password was a good thing from a financial point of view.”