Cloud password-manager zero-knowledge attack study exposes vault-recovery and integrity flaws
Technical Analysis
Summary
Hide ▲
Show ▼
A new password-manager security study found 25 attack classes against Bitwarden, LastPass, Dashlane, and 1Password, undermining zero-knowledge encryption assumptions and exposing reusable design flaws. The findings matter because they range from vault integrity violations to complete compromise of all organizational vaults. Vendors say mitigations are in progress, but the research shows several core architectures still allow recovery and downgrade paths.
Related Happenings
Bitwarden hit by network compromise
Incident
First: 23.04.2026 22:21
Last: 23.04.2026 22:21
Sources 1
About this happening:
**Bitwarden**'s **@bitwarden/cli** distribution channel was compromised when a malicious package briefly appeared on **npm**, putting developers who installed it at risk of **cred...
Bitwarden hit by network compromise
IncidentAbout this happening: **Bitwarden**'s **@bitwarden/cli** distribution channel was compromised when a malicious package briefly appeared on **npm**, putting developers who installed it at risk of **cred...
Bitwarden LastPass Dashlane and 1Password vault compromise flaws security flaw
Vulnerability
First: 16.02.2026 19:15
Last: 16.02.2026 19:15
Sources 1
About this happening:
**Bitwarden, LastPass, Dashlane and 1Password** were found to have **cloud password manager vulnerabilities** that could let an attacker **view, change, recover, or delete vault p...
Bitwarden LastPass Dashlane and 1Password vault compromise flaws security flaw
VulnerabilityAbout this happening: **Bitwarden, LastPass, Dashlane and 1Password** were found to have **cloud password manager vulnerabilities** that could let an attacker **view, change, recover, or delete vault p...
LastPass customer password vault backups exposed
Data Leak
First: 05.01.2026 11:30
Last: 05.01.2026 11:30
Sources 1
About this happening:
The **2022 LastPass data leak** exposed backups of about **30 million customer password vaults**, leaving more than **25 million users** with a **long-tail risk** of offline crack...
LastPass customer password vault backups exposed
Data LeakAbout this happening: The **2022 LastPass data leak** exposed backups of about **30 million customer password vaults**, leaving more than **25 million users** with a **long-tail risk** of offline crack...
Timeline
-
16.02.2026 20:06 2 articles · 3mo ago
Study discloses malicious-server attacks against cloud password managers
Initial DisclosureETH Zurich and Università della Svizzera italiana disclosed a malicious-server study showing password recovery attacks against Bitwarden, LastPass, Dashlane, and 1Password, including 12 attacks against Bitwarden, 7 against LastPass, and 6 against Dashlane, with effects ranging from integrity violations and metadata leakage to KDF downgrade and potential organization-wide vault compromise. Dashlane said a November 2025 fix in Dashlane Extension version 6.2544.1 removed support for legacy cryptography methods, Bitwarden said seven issues were resolved or in active remediation, LastPass said it is strengthening integrity guarantees and hardening admin password reset and sharing workflows, and 1Password said the findings matched already documented architectural limitations.
Show sources
- Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers — thehackernews.com — 16.02.2026 20:06
- Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers — thehackernews.com — 16.02.2026 20:06