Password Manager Security and Trust: Bitwarden ‘Cupid Vault’ Launch and LastPass Post-Breach Rebuild
Bitwarden launched ‘Cupid Vault’, a feature aimed at safer credential sharing by letting free-tier users create a two-person shared vault as an Organization and invite a trusted person via email. The shared vault is isolated from the user’s personal vault, supports revocation of access, and includes a fingerprint phrase verification step intended to reduce adversary-in-the-middle enrollment risks; both members can edit or delete items in the shared collection.
LastPass’s CEO described the company’s ongoing effort to rebuild trust and security culture following the 2022 intrusions, which began with access to parts of the development environment via a compromised developer account and theft of source code/technical data. LastPass said information from that initial compromise enabled subsequent access to customer-related data, including customer account metadata (e.g., names, billing addresses, emails, phone numbers, IP addresses) and a backup copy of encrypted customer vault data, framing the incident as a catalyst for significant security program changes.
Sources
Related Stories
Academic research demonstrates attacks against major cloud password managers
Researchers from **ETH Zurich** and the **Università della Svizzera italiana**, led by **Prof. Kenneth Paterson**, published findings demonstrating **27 successful attacks** against major password managers **Bitwarden**, **LastPass**, and **Dashlane** under a *malicious server* model, where an attacker has compromised the provider’s server. The work challenges the practical guarantees implied by “**zero-knowledge encryption**,” showing that if the server can tamper with what the client receives, some clients may fail to adequately verify integrity and binding between encrypted vault data and associated metadata, enabling vault contents to be exposed or misdirected. The reported techniques include issues described as missing **ciphertext integrity** and insufficient **cryptographic binding** of fields (e.g., URL metadata not being tightly bound to the encrypted secret), enabling attacks such as **field-swap** scenarios where a decrypted password could be sent to an attacker-controlled domain during normal client behavior (e.g., fetching a site icon). Additional attack paths discussed target password-manager features beyond basic storage—such as **account recovery**, **sharing**, and **auto-enrolment** into organizations—reinforcing that password-manager security depends not only on encryption at rest but also on robust client-side validation and threat models that account for server compromise; broader commentary also notes recent, compounding weaknesses in the password ecosystem, including password-manager design assumptions and other emerging password-related risks.
3 weeks agoPhishing Campaign Impersonates LastPass and Bitwarden to Distribute Remote Access Tools
Threat actors have launched a sophisticated phishing campaign targeting users of the password managers LastPass and Bitwarden. The attackers send well-crafted emails that falsely claim LastPass or Bitwarden has suffered a security breach, urging recipients to download a new, supposedly more secure desktop version of the password manager. These emails are designed to create a sense of urgency and exploit social engineering tactics, with the goal of tricking users into downloading a malicious binary. Upon execution, the binary silently installs Syncro, a remote monitoring and management (RMM) tool commonly used by managed service providers. Once Syncro is installed, the attackers use it to deploy ScreenConnect, a remote support and access software, enabling them to further compromise the victim's system. This access allows the threat actors to deliver additional malware, steal data, and potentially compromise password vaults stored on the affected machines. The phishing emails are sent from addresses such as ‘hello@lastpasspulse[.]blog’ and ‘hello@lastpasjournal[.]blog’, and they mimic official security alerts from LastPass and Bitwarden. The messages claim that older .exe installations of the password managers are vulnerable and that users must upgrade to a new MSI installer to protect their vault data. LastPass has publicly denied any breach of its systems, clarifying that the emails are fraudulent and part of a social engineering scheme. The campaign began over a weekend, likely to take advantage of reduced staffing and slower detection during the holiday period. Bitwarden users have also been targeted with similar phishing emails, indicating a broad scope for the campaign. The attackers' use of legitimate remote access tools like Syncro and ScreenConnect makes detection and remediation more challenging for victims. The campaign follows a similar pattern to previous phishing attacks against users of other password managers, such as 1Password. Security experts warn that the use of trusted brand names and plausible security narratives increases the likelihood of user compromise. Organizations are advised to educate users about the risks of unsolicited security alerts and to verify any requests for software updates directly with the vendor. The incident highlights the ongoing threat posed by phishing campaigns that leverage trusted brands and remote access tools to gain control over user systems and sensitive data. Both LastPass and Bitwarden have issued statements to reassure users and provide guidance on identifying and avoiding these phishing attempts. The campaign demonstrates the evolving tactics of cybercriminals in targeting password manager users, who often have access to highly sensitive credentials. Security teams should monitor for unauthorized installations of RMM tools and implement controls to prevent lateral movement and data exfiltration. The incident underscores the importance of layered security defenses and user awareness training in mitigating the impact of phishing attacks.
5 months agoPhishing Campaigns Impersonate LastPass to Steal Credentials and Deploy Remote Access Tools
Threat actors have launched sophisticated phishing campaigns impersonating *LastPass* to trick users into revealing their master passwords and, in some cases, to install remote access tools. One campaign, attributed to the financially motivated group **CryptoChameleon (UNC5356)**, sends emails claiming a family member has requested access to the victim's LastPass vault via a fabricated death certificate, exploiting the service's emergency access feature. Victims are directed to fraudulent sites mimicking LastPass, where they are prompted to enter their credentials or passkeys. In some instances, attackers have also called victims while posing as LastPass staff to further legitimize the scam. A separate but related campaign targets users of both *LastPass* and *Bitwarden* with fake breach notifications, urging them to download a "secure" desktop version of the password manager. The download actually installs the Syncro remote monitoring and management (RMM) tool, which is then used to deploy ScreenConnect for remote access. This allows attackers to steal data, deploy additional malware, and potentially access password vaults. Both LastPass and Syncro have taken steps to warn users and disrupt the malicious infrastructure, emphasizing that no legitimate communication will ever request a master password and advising users to verify suspicious emails.
4 months ago