CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Vulnerabilities in Cloud-Based Password Managers Enable Full Vault Compromise

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Researchers from ETH Zurich and USI discovered 27 vulnerabilities in Bitwarden, LastPass, Dashlane, and 1Password that could allow attackers to view and modify stored passwords. The flaws challenge the 'zero-knowledge encryption' claims of these services, with attacks ranging from integrity violations to complete vault compromise. The vulnerabilities were disclosed to the vendors, and remediation is underway. The researchers developed attack scenarios exploiting key escrow, vault encryption, sharing, and backwards compatibility features. Bitwarden was found to have a critical flaw in its organization onboarding process, allowing malicious auto-enrolment attacks. 1Password's use of a high-entropy cryptographic key provides it with a security advantage. Dashlane patched a downgrade attack vulnerability in November 2025. Bitwarden is addressing seven issues and accepting three as intentional design decisions. LastPass is working to enhance integrity guarantees.

Timeline

  1. 16.02.2026 20:06 1 articles · 4h ago

    Vendors Implement Remediation Measures

    Dashlane patched a downgrade attack vulnerability in November 2025. Bitwarden is addressing seven identified issues and accepting three as intentional design decisions. LastPass is working to add stronger integrity guarantees to cryptographically bind items, fields, and metadata. 1Password regards the vulnerabilities as arising from known architectural limitations.

    Show sources
    Open in new tab
  2. 16.02.2026 19:15 2 articles · 5h ago

    Researchers Disclose 27 Vulnerabilities in Cloud-Based Password Managers

    Researchers from ETH Zurich and USI disclosed 27 vulnerabilities in Bitwarden, LastPass, Dashlane, and 1Password that could allow attackers to view and modify stored passwords. The flaws challenge the 'zero-knowledge encryption' claims of these services, with attacks ranging from integrity violations to complete vault compromise. The vulnerabilities were disclosed to the vendors, and remediation is underway. The article provides additional details on the specific attack scenarios and the remediation efforts by the vendors.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Near-Identical Password Reuse Persists as Underrated Security Risk

Near-identical password reuse, where users make small, predictable changes to passwords, remains a significant security risk despite established password policies. This practice, often a workaround for managing multiple credentials, is exploited by attackers using automated tools to infer and compromise accounts. The risk is amplified by inconsistent policy enforcement and the predictable nature of user password modifications.

Open in new tab

UK ICO fines LastPass £1.2 million for 2022 data breach affecting 1.6 million users

The UK Information Commissioner's Office (ICO) fined LastPass £1.2 million for security failures that led to a 2022 breach impacting up to 1.6 million UK users. The breach involved two interconnected incidents starting in August 2022, where an attacker stole personal information and encrypted password vaults. The ICO found that LastPass failed to implement adequate security measures to prevent the breach. The attacker initially compromised a LastPass employee's laptop, gaining access to the company's development environment. The following day, the attacker targeted a senior employee by exploiting a vulnerability in a third-party streaming application, capturing the employee's master password and bypassing multi-factor authentication. This allowed the attacker to steal an Amazon Web Services access key and a decryption key, which were used to breach the cloud storage firm GoTo and steal LastPass database backups. The stolen data included encrypted password vaults, names, email addresses, phone numbers, and website URLs associated with customer accounts. The ICO emphasized that while LastPass' Zero Knowledge architecture prevented the decryption of customer password vaults, the company failed to meet its obligation to protect customer data. The breach has enabled bad actors to take advantage of weak master passwords to crack the encrypted vaults and drain cryptocurrency assets as recently as late 2025. Evidence points to the involvement of Russian cybercriminal actors, with one of the Russian exchanges receiving LastPass-linked funds as recently as October. More $35 million in siphoned digital assets have been traced, out of which $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025.

Open in new tab

SOAPwn Vulnerability in .NET Framework Enables Remote Code Execution

A critical vulnerability, codenamed SOAPwn, in the .NET Framework allows attackers to achieve remote code execution by manipulating Web Services Description Language (WSDL) imports and HTTP client proxies. The flaw impacts multiple enterprise applications, including Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. Exploiting SOAPwn can lead to arbitrary file writes and NTLM relay attacks. Microsoft has declined to patch the issue, attributing it to application behavior. The vulnerability was disclosed at the Black Hat Europe security conference by WatchTowr Labs researcher Piotr Bazydlo. Affected vendors have released patches to address the flaw.

Open in new tab

Password Security Best Practices for Operational Technology (OT) Systems

Operational Technology (OT) systems, which control critical infrastructure such as energy plants and manufacturing facilities, face unique cybersecurity challenges due to their direct interaction with physical systems. These challenges include outdated hardware, shared accounts, remote access vulnerabilities, and the increasing intermingling of IT and OT systems. Strong password policies are essential to mitigate these risks, as weak passwords can lead to severe consequences, including physical dangers and operational disruptions.

Open in new tab

Synced Passkeys Vulnerable to Enterprise Attacks

Synced passkeys, which are credentials stored in an authenticator and synced across devices through cloud services, pose significant security risks for enterprises. These risks include cloud account takeovers, authentication downgrade attacks, and browser-based security vulnerabilities. Device-bound passkeys in hardware security keys offer higher assurance and better administrative control, and should be mandatory for enterprise access use cases. Synced passkeys shift the trust boundary to cloud accounts and recovery workflows, expanding the attack surface. Adversaries can exploit these vulnerabilities to gain unauthorized access to enterprise systems. Organizations should prioritize device-bound passkeys to enhance security.

Open in new tab