Academic research demonstrates attacks against major cloud password managers
Researchers from ETH Zurich and the Università della Svizzera italiana, led by Prof. Kenneth Paterson, published findings demonstrating 27 successful attacks against major password managers Bitwarden, LastPass, and Dashlane under a malicious server model, where an attacker has compromised the provider’s server. The work challenges the practical guarantees implied by “zero-knowledge encryption,” showing that if the server can tamper with what the client receives, some clients may fail to adequately verify integrity and binding between encrypted vault data and associated metadata, enabling vault contents to be exposed or misdirected.
The reported techniques include issues described as missing ciphertext integrity and insufficient cryptographic binding of fields (e.g., URL metadata not being tightly bound to the encrypted secret), enabling attacks such as field-swap scenarios where a decrypted password could be sent to an attacker-controlled domain during normal client behavior (e.g., fetching a site icon). Additional attack paths discussed target password-manager features beyond basic storage—such as account recovery, sharing, and auto-enrolment into organizations—reinforcing that password-manager security depends not only on encryption at rest but also on robust client-side validation and threat models that account for server compromise; broader commentary also notes recent, compounding weaknesses in the password ecosystem, including password-manager design assumptions and other emerging password-related risks.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Vendors begin patching after 90-day disclosure period
Following a 90-day coordinated disclosure period, vendors reportedly started addressing the issues. Dashlane and Bitwarden released fixes and removed legacy cryptography to mitigate the disclosed attack paths.
Researchers disclose attack techniques including field-swap and fake organization enrolment
The researchers detailed specific attack methods including a 'field swap' technique that can cause a client to leak a decrypted password to an attacker-controlled server and a 'malicious auto-enrolment' attack that tricks users into joining a fake organization and encrypting key material to an attacker key. They also highlighted KDF downgrade risks caused by backward-compatible legacy cryptography.
Researchers identify 27 server-compromise attacks on password managers
Researchers from ETH Zurich and the Università della Svizzera italiana, led by Professor Kenneth Paterson, found 27 successful attacks against Bitwarden, LastPass, and Dashlane under a malicious-server threat model. The work showed that server compromise can undermine some cloud password managers' 'zero-knowledge encryption' claims through issues such as missing ciphertext integrity, weak cryptographic binding, and legacy cryptography.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Study Finds Password-Recovery Attacks Against Cloud Password Managers Despite Zero-Knowledge Claims
Researchers from **ETH Zurich** and **Università della Svizzera italiana** reported a set of password-recovery attacks affecting major cloud password managers **Bitwarden**, **LastPass**, and **Dashlane**, challenging common “**zero-knowledge encryption**” (ZKE) assurances. The work models a scenario where an attacker controls or compromises the provider-side infrastructure (i.e., a *malicious/hacked server*) and evaluates whether ZKE design goals still prevent credential exposure. The study describes **25 total attacks**—**12** against Bitwarden, **7** against LastPass, and **6** against Dashlane—ranging from **vault integrity violations** to **complete compromise of all vaults in an organization**, with many attacks enabling **recovery of stored passwords**. The researchers attribute the findings to recurring **design anti-patterns** and **cryptographic misconceptions** in account recovery and related workflows, warning that server-side compromise can still translate into customer-impacting password theft even when vault data is marketed as “zero-knowledge” protected.
Mar 21, 2026
Phishing Campaign Impersonates LastPass and Bitwarden to Distribute Remote Access Tools
Threat actors have launched a sophisticated phishing campaign targeting users of the password managers LastPass and Bitwarden. The attackers send well-crafted emails that falsely claim LastPass or Bitwarden has suffered a security breach, urging recipients to download a new, supposedly more secure desktop version of the password manager. These emails are designed to create a sense of urgency and exploit social engineering tactics, with the goal of tricking users into downloading a malicious binary. Upon execution, the binary silently installs Syncro, a remote monitoring and management (RMM) tool commonly used by managed service providers. Once Syncro is installed, the attackers use it to deploy ScreenConnect, a remote support and access software, enabling them to further compromise the victim's system. This access allows the threat actors to deliver additional malware, steal data, and potentially compromise password vaults stored on the affected machines. The phishing emails are sent from addresses such as ‘hello@lastpasspulse[.]blog’ and ‘hello@lastpasjournal[.]blog’, and they mimic official security alerts from LastPass and Bitwarden. The messages claim that older .exe installations of the password managers are vulnerable and that users must upgrade to a new MSI installer to protect their vault data. LastPass has publicly denied any breach of its systems, clarifying that the emails are fraudulent and part of a social engineering scheme. The campaign began over a weekend, likely to take advantage of reduced staffing and slower detection during the holiday period. Bitwarden users have also been targeted with similar phishing emails, indicating a broad scope for the campaign. The attackers' use of legitimate remote access tools like Syncro and ScreenConnect makes detection and remediation more challenging for victims. The campaign follows a similar pattern to previous phishing attacks against users of other password managers, such as 1Password. Security experts warn that the use of trusted brand names and plausible security narratives increases the likelihood of user compromise. Organizations are advised to educate users about the risks of unsolicited security alerts and to verify any requests for software updates directly with the vendor. The incident highlights the ongoing threat posed by phishing campaigns that leverage trusted brands and remote access tools to gain control over user systems and sensitive data. Both LastPass and Bitwarden have issued statements to reassure users and provide guidance on identifying and avoiding these phishing attempts. The campaign demonstrates the evolving tactics of cybercriminals in targeting password manager users, who often have access to highly sensitive credentials. Security teams should monitor for unauthorized installations of RMM tools and implement controls to prevent lateral movement and data exfiltration. The incident underscores the importance of layered security defenses and user awareness training in mitigating the impact of phishing attacks.
Mar 21, 2026
Password Manager Security and Trust: Bitwarden ‘Cupid Vault’ Launch and LastPass Post-Breach Rebuild
Bitwarden launched **‘Cupid Vault’**, a feature aimed at safer credential sharing by letting free-tier users create a two-person shared vault as an *Organization* and invite a trusted person via email. The shared vault is **isolated** from the user’s personal vault, supports revocation of access, and includes a **fingerprint phrase** verification step intended to reduce adversary-in-the-middle enrollment risks; both members can edit or delete items in the shared collection. LastPass’s CEO described the company’s ongoing effort to rebuild trust and security culture following the **2022 intrusions**, which began with access to parts of the development environment via a **compromised developer account** and theft of source code/technical data. LastPass said information from that initial compromise enabled subsequent access to customer-related data, including **customer account metadata** (e.g., names, billing addresses, emails, phone numbers, IP addresses) and a **backup copy of encrypted customer vault data**, framing the incident as a catalyst for significant security program changes.
Mar 21, 2026