Overview
- Researchers from ETH Zurich and USI documented 27 attacks—12 on Bitwarden, 7 on LastPass, and 6 on Dashlane—across services used by roughly 60 million users.
- Under a malicious-server model, the teams recovered or altered stored credentials during routine actions such as login, vault opening, viewing entries, or syncing.
- Root causes include missing ciphertext integrity and cryptographic binding, legacy-compatibility downgrades, and feature complexity around recovery and sharing.
- Following a 90-day disclosure, Dashlane and Bitwarden released fixes that remove legacy cryptography and harden clients, while LastPass reports ongoing hardening.
- The researchers found 1Password’s device-held Secret Key largely thwarts these server-side attacks and recommend users favor managers with extra client-held secrets or hardware security keys.