Study Finds Password-Recovery Attacks Against Cloud Password Managers Despite Zero-Knowledge Claims
Researchers from ETH Zurich and Università della Svizzera italiana reported a set of password-recovery attacks affecting major cloud password managers Bitwarden, LastPass, and Dashlane, challenging common “zero-knowledge encryption” (ZKE) assurances. The work models a scenario where an attacker controls or compromises the provider-side infrastructure (i.e., a malicious/hacked server) and evaluates whether ZKE design goals still prevent credential exposure.
The study describes 25 total attacks—12 against Bitwarden, 7 against LastPass, and 6 against Dashlane—ranging from vault integrity violations to complete compromise of all vaults in an organization, with many attacks enabling recovery of stored passwords. The researchers attribute the findings to recurring design anti-patterns and cryptographic misconceptions in account recovery and related workflows, warning that server-side compromise can still translate into customer-impacting password theft even when vault data is marketed as “zero-knowledge” protected.
Sources
1 more from sources like bank info security
Related Stories
Academic research demonstrates attacks against major cloud password managers
Researchers from **ETH Zurich** and the **Università della Svizzera italiana**, led by **Prof. Kenneth Paterson**, published findings demonstrating **27 successful attacks** against major password managers **Bitwarden**, **LastPass**, and **Dashlane** under a *malicious server* model, where an attacker has compromised the provider’s server. The work challenges the practical guarantees implied by “**zero-knowledge encryption**,” showing that if the server can tamper with what the client receives, some clients may fail to adequately verify integrity and binding between encrypted vault data and associated metadata, enabling vault contents to be exposed or misdirected. The reported techniques include issues described as missing **ciphertext integrity** and insufficient **cryptographic binding** of fields (e.g., URL metadata not being tightly bound to the encrypted secret), enabling attacks such as **field-swap** scenarios where a decrypted password could be sent to an attacker-controlled domain during normal client behavior (e.g., fetching a site icon). Additional attack paths discussed target password-manager features beyond basic storage—such as **account recovery**, **sharing**, and **auto-enrolment** into organizations—reinforcing that password-manager security depends not only on encryption at rest but also on robust client-side validation and threat models that account for server compromise; broader commentary also notes recent, compounding weaknesses in the password ecosystem, including password-manager design assumptions and other emerging password-related risks.
3 weeks agoPhishing Campaign Impersonates LastPass and Bitwarden to Distribute Remote Access Tools
Threat actors have launched a sophisticated phishing campaign targeting users of the password managers LastPass and Bitwarden. The attackers send well-crafted emails that falsely claim LastPass or Bitwarden has suffered a security breach, urging recipients to download a new, supposedly more secure desktop version of the password manager. These emails are designed to create a sense of urgency and exploit social engineering tactics, with the goal of tricking users into downloading a malicious binary. Upon execution, the binary silently installs Syncro, a remote monitoring and management (RMM) tool commonly used by managed service providers. Once Syncro is installed, the attackers use it to deploy ScreenConnect, a remote support and access software, enabling them to further compromise the victim's system. This access allows the threat actors to deliver additional malware, steal data, and potentially compromise password vaults stored on the affected machines. The phishing emails are sent from addresses such as ‘hello@lastpasspulse[.]blog’ and ‘hello@lastpasjournal[.]blog’, and they mimic official security alerts from LastPass and Bitwarden. The messages claim that older .exe installations of the password managers are vulnerable and that users must upgrade to a new MSI installer to protect their vault data. LastPass has publicly denied any breach of its systems, clarifying that the emails are fraudulent and part of a social engineering scheme. The campaign began over a weekend, likely to take advantage of reduced staffing and slower detection during the holiday period. Bitwarden users have also been targeted with similar phishing emails, indicating a broad scope for the campaign. The attackers' use of legitimate remote access tools like Syncro and ScreenConnect makes detection and remediation more challenging for victims. The campaign follows a similar pattern to previous phishing attacks against users of other password managers, such as 1Password. Security experts warn that the use of trusted brand names and plausible security narratives increases the likelihood of user compromise. Organizations are advised to educate users about the risks of unsolicited security alerts and to verify any requests for software updates directly with the vendor. The incident highlights the ongoing threat posed by phishing campaigns that leverage trusted brands and remote access tools to gain control over user systems and sensitive data. Both LastPass and Bitwarden have issued statements to reassure users and provide guidance on identifying and avoiding these phishing attempts. The campaign demonstrates the evolving tactics of cybercriminals in targeting password manager users, who often have access to highly sensitive credentials. Security teams should monitor for unauthorized installations of RMM tools and implement controls to prevent lateral movement and data exfiltration. The incident underscores the importance of layered security defenses and user awareness training in mitigating the impact of phishing attacks.
5 months ago
Corporate Cloud Data Breaches via Infostealer-Harvested Credentials
A threat actor known as **Zestix** has systematically breached dozens of major global enterprises by exploiting credentials harvested from infostealer malware such as RedLine, Lumma, and Vidar. These infostealers, often distributed through malvertising or phishing, collect login data from infected employee devices, which is then aggregated and sold or used on underground forums. Zestix specifically targeted cloud file-sharing platforms including ShareFile, Nextcloud, and OwnCloud, gaining unauthorized access to sensitive corporate data across sectors like aviation, defense, healthcare, utilities, and government. The breaches were enabled by the widespread absence of Multi-Factor Authentication (MFA), allowing attackers to use valid credentials—some of which had been exposed for years—to access and exfiltrate terabytes of confidential information. Security researchers from multiple firms, including Hudson Rock and InfoStealers, highlighted that Zestix operates as an initial access broker, auctioning access to compromised cloud environments and datasets. The attacks underscore a critical security gap: organizations' failure to implement or enforce MFA and to regularly rotate credentials, leaving them vulnerable to credential-based attacks. The scale and persistence of these breaches demonstrate the urgent need for improved credential hygiene and robust access controls to protect cloud-based assets from similar threats.
2 months ago