Back to Blog
Reading time: 7 minutes  |  Last updated: July 17, 2026  |  Category: Cybersecurity

By T.O. Mercer · July 17, 2026 · 7 min read

Is Passwork Safe? The "Made in Europe" Vault Built in Russia

If you are asking whether Passwork is safe to use, the short answer as of July 2026: there is no published evidence of a breach or exploitation, but a five-outlet investigation just found that this "made in the EU" password manager was developed in Russia, where its sibling product serves Gazprom, the Ministry of Defense, and the FSB. European customers, including Irish government agencies and a Dutch solar grid operator, were never told. Whether Passwork is safe now depends on how much you trust a vendor that hid where it came from. This post walks through who owns Passwork, what the real risk is, and what to switch to if you decide the answer is not enough.

Key takeaways
  • A joint investigation by Investico, NU.nl, De Groene Amsterdammer, Le Monde, and De Tijd found that Passwork, a password manager marketed as European with headquarters in Barcelona, was originally developed in Russia in 2014.
  • A Russian version of the software is still sold inside Russia. Its users reportedly include Gazprom, Transneft, the Russian Ministry of Defense, and the FSB.
  • European customers included Irish government agencies, Dutch solar operator Novar, and a French port operator. These are exactly the critical-infrastructure targets hostile states care about.
  • The core risk is not where the servers sit. It is shared code. Security experts warn that technical overlap between the Russian and European versions could give Moscow deep insight into the software and its flaws.
  • Passwork's CEO says the European business runs on German servers and shares no systems or customer data with the Russian company. Even if that is entirely true, customers had no way to evaluate the claim, because the origin was never disclosed.
  • The fix is a vetting habit, not panic: six checks, below, that take 20 minutes and would have caught this.
If your organization uses Passwork

Do not delete anything yet. Export your vault, then rotate credentials in order of blast radius: shared admin passwords first, then cloud and API keys, then everything else. Treat migration to an independently audited manager with transparent ownership as a this-quarter project, not a someday project. Detailed steps below.

What happened

Passwork sells itself as a sovereignty story. Its English-language site describes a company founded in Finland in 2017 that recently moved its headquarters to Barcelona, positioning the product as developed in Europe with full GDPR and NIS2 compliance. For a European government agency shopping for a credential vault after two years of "buy European" procurement pressure, that pitch lands perfectly.

According to the investigation, the story is backwards. Passwork was developed in Russia in 2014, and the company was moved to Spain after Russia invaded Ukraine. The Russian-market version never went away. It is still available in Russia and is reportedly used by state-owned energy giants Gazprom and Transneft, the Ministry of Defense, and the Federal Security Service.

Sit with that customer list for a second. The same product family protects the credentials of Irish government agencies and the FSB. I have written about a lot of messy vendor stories on this site, and this one is unusual because nothing here required a breach or an exploit. The exposure was created entirely at the procurement stage, by a marketing claim nobody checked.

Who owns Passwork? The sovereignty shell game

Passwork's CEO, Alexander Muntyan, told the investigators that the European business licenses the software through an entity in the UAE that is run by the original Russian founders. He says the European operation runs on servers in Germany and shares no servers, systems, or customer data with the Russian company.

Take that at face value for a moment. A Russian-founded product, licensed through a UAE holding entity, operated from Spain, hosted in Germany, marketed as Finnish-then-Barcelona. Every individual link in that chain may be legal. The chain as a whole is designed to make the question "where is this software actually from?" nearly impossible for a buyer to answer. When a vendor's corporate structure works that hard to blur the origin of a product whose entire job is holding your master credentials, that is not a neutral fact. That is the finding.

Is Passwork safe to use right now?

This is the part most coverage skips, and it is the part that matters for anyone evaluating any security tool. "The servers are in Germany" does not settle the question.

Server location answers one question: which government can subpoena the hardware. It does not answer the more dangerous question: who understands the codebase better than you do. Bart van den Berg, who heads the security unit at the Clingendael Institute, warned investigators that the Russian links could give the Kremlin extensive insight into the software and its weaknesses, and that technical similarity between the Russian and European versions means a flaw found in one is likely a flaw in the other.

That is the real threat model. If the two versions share significant code, then the people with the deepest knowledge of that code, its architecture, and its historical vulnerabilities operate inside a state that has spent a decade weaponizing exactly this kind of access. Nobody needs a backdoor when they have a decade head start on finding the front door's defects. Van den Berg put the stakes plainly regarding Novar, the Dutch solar operator on Passwork's customer list, noting that seizing control of its panels could black out parts of the Netherlands: "This is far more effective than a plane or a bomb."

I want to be fair here: no evidence has surfaced that Passwork's European product has been exploited, and the company denies any data sharing. The problem is that customers were never given the information needed to price this risk in the first place. You cannot consent to a risk you were never told about.

Claim vs. finding

Passwork's positioning What the investigation found
Founded in Finland in 2017 Developed in Russia in 2014
"Made in the EU" Moved to Spain after the invasion of Ukraine
European company Licensed via a UAE entity run by the Russian founders
Data sovereignty for EU clients Sibling product still sold in Russia to state entities
Independent European operation Reported technical similarity between the two versions

This is becoming a pattern

Passwork is the second "sovereign European software" story to collapse this summer. Euro-Office, launched in June as a European alternative to Microsoft 365, turned out to be a fork of OnlyOffice, a product that originated in Russia and is now registered in Latvia. Same playbook: Russian-origin code, a European corporate wrapper, and sovereignty as the sales pitch.

The demand side explains it. European procurement is actively hunting for non-American, non-Chinese software right now, and "made in the EU" has become a premium label. Premium labels attract counterfeits. Expect more of these.

The 6 checks that would have caught this

This is the section to bookmark, because it applies to every password manager, not just Passwork. Before you trust a vault with your master credentials, spend 20 minutes on these:

  1. Trace the ownership, not the headquarters. A Barcelona office is a lease. Look up the actual corporate registration, the parent entity, and the founders' history. If ownership runs through a holding company in a third jurisdiction, ask the vendor directly who ultimately controls the product. A serious vendor answers in one email.
  2. Check the product's birth certificate. Search the earliest press mentions, archived versions of the website (the Wayback Machine is free), old app store listings, and founder LinkedIn histories. Passwork's 2014 Russian origin was not deeply hidden. It was simply never surfaced by anyone during procurement.
  3. Demand named, recent, independent audits. Not "audited." Named firm, published report, dated within roughly two years, covering the actual product you would deploy. An audit of a different regional version of the software tells you nothing about yours.
  4. Ask the fork question. If regional versions of the product exist, ask how much code they share and who commits to each. Shared code means shared vulnerabilities, regardless of whose flag is on the marketing site.
  5. Weigh jurisdiction as a threat, not a checkbox. The question is not "is the vendor's country friendly today" but "if this vendor's origin state turned hostile, what could it see or break?" For a password manager, the honest answer to "what could it break" is: everything downstream.
  6. Verify the encryption claim independently. True zero-knowledge architecture, where the vendor mathematically cannot read your vault, is your last line of defense if every other check fails. It should be documented, audited, and specific, not a marketing adjective. If you want a refresher on what actually protects a credential at rest, our password length guide covers the math that holds up in 2026.

If you are a Passwork customer

  1. Export your vault now, while you have clean access, and store the export encrypted.
  2. Rotate in blast-radius order. Shared admin and infrastructure passwords first, then cloud and API keys, then SSH keys, then standard account passwords. Our password checker will tell you which of your current credentials were weak enough to worry about twice, and the generator will produce replacements in seconds.
  3. Migrate to a manager that passes the six checks above. Transparent ownership, published audits, zero-knowledge architecture, no mystery forks.
  4. If you are a government or critical-infrastructure org, loop in your national CERT. The Irish agencies on this customer list almost certainly were not the only public-sector users.

The lesson for the rest of us

Most breaches I cover on this site are boring in the same way: a reused password, a system that trusted too much. This one is different and worth remembering for that reason. Nothing was hacked. The failure was that organizations handed their most sensitive asset, their credential vault, to a vendor based on a country-of-origin claim that a 20-minute search would have unraveled.

Your password manager is the one vendor you cannot afford to vet lazily. It does not hold some of your secrets. It holds the keys to all of them.

Passwork alternatives: what to switch to

Run any Passwork alternative through the six checks above before you commit. Three that pass cleanly as of July 2026:

Alternative Ownership Audits Why it clears the bar
NordPass Nord Security, Lithuania, founders public Cure53, published Zero-knowledge XChaCha20, no regional forks, transparent corporate chain
Bitwarden Bitwarden Inc., USA Multiple published third-party audits Open source, so the "who knows the codebase" question has a public answer. Mind the recent pricing changes though
Proton Pass Proton AG, Switzerland Cure53, published Swiss jurisdiction, open source clients, privacy-first parent company

On Passwork vs NordPass specifically, since that is the migration most business users will weigh: NordPass is the closest functional swap for team credential sharing, and it is the one whose ownership trail you can verify in a single afternoon. That contrast is the entire lesson of this story.

Pick a vault that survives the 6 checks

Try NordPass

I will hold NordPass to the same standard I just applied to Passwork, because that is the whole point. Ownership: Nord Security, headquartered in Lithuania, founders public, no holding-company maze. Audits: independently assessed by Cure53, reports published. Architecture: zero-knowledge with XChaCha20 encryption, meaning NordPass cannot read your vault even under compulsion. No regional fork serving a rival state's security services. It is not perfect software (nothing is), but it is exactly the kind of transparent, verifiable vendor this whole mess argues for.

Get NordPass →

Affiliate link. We earn a small commission if you subscribe, at no extra cost to you.

Frequently asked questions

Is Passwork safe to use?

No breach or exploitation of Passwork's European product has been published as of July 2026. The safety concern is structural: investigators found the software was developed in Russia, a fact the company did not disclose, and experts warn that code shared with the Russian version could expose European customers to vulnerabilities known in Moscow. Safe enough is a judgment call; informed consent was never on offer.

Is Passwork a Russian company?

Passwork presents itself as European, founded in Finland with headquarters in Barcelona. The joint investigation by Investico, Le Monde, and three other outlets found it was developed in Russia in 2014 and moved to Spain after the invasion of Ukraine, with the European license held by a UAE entity run by the Russian founders. A Russian version is still sold in Russia.

Who owns Passwork?

The European business operates from Barcelona under CEO Alexander Muntyan, licensed through a UAE-based entity controlled by the original Russian founders. The company says it runs on German servers and shares no systems or customer data with the Russian operation.

Was Passwork breached or hacked?

No. Nothing in the investigation involves a hack, a leak, or stolen data. The finding is about undisclosed origin and ownership, not a security incident. If you searched "Passwork data breach," this is the story you were actually looking for.

Should I stop using Passwork?

If you are an individual user, that is a personal risk tolerance call. If you handle credentials for a business, government body, or critical infrastructure, the undisclosed Russian origin plus the shared-code risk is exactly the kind of supply-chain exposure your security policy exists to prevent. Export, rotate, and migrate using the steps above.

What is the best Passwork alternative?

Any manager that passes the six vetting checks in this article: transparent ownership, published independent audits, zero-knowledge encryption, and no undisclosed regional forks. NordPass, Bitwarden, and Proton Pass all clear that bar as of this writing.

Sources: Joint investigation by Investico, NU.nl, De Groene Amsterdammer, Le Monde, and De Tijd, as reported by Cybernews and Investico. Passwork's responses via CEO Alexander Muntyan are included above. Verified July 17, 2026. No evidence of exploitation of the European product has been published as of this date.

TM
T.O. Mercer

T.O. Mercer is a DevSecOps engineer who writes about password security, credential theft, and the practical side of staying safe online. His analysis of 50,000 breached passwords has been cited across the security community. He believes most breaches are boring in the same way: a reused password, a trusted system that trusted too much, and a small failure that spread because nothing stopped it at one account.