Severe Flaws in Bitwarden, LastPass, and Dashlane Put 60 Million Users at Risk, Researchers Warn
scsecFebruary 20, 20262 Mins read 
Researchers Urge Password Manager Giants to Strengthen Security After Severe Flaws Discovered
Security researchers at ETH Zurich have identified serious vulnerabilities in three of the world’s most widely used password managers — Bitwarden, LastPass, and Dashlane — potentially affecting up to 60 million users.
The academic team analyzed the internal architecture of the platforms, which together account for roughly 23% of the global password manager market. Their findings revealed multiple attack vectors that challenge long-standing claims about “zero-knowledge encryption.”
Zero-Knowledge Encryption Put to the Test
Password managers often advertise zero-knowledge encryption, meaning providers cannot access users’ stored data because it is encrypted before reaching company servers.
However, ETH Zurich researchers demonstrated that under certain server-compromise scenarios, attackers could manipulate stored vault data, alter passwords, and potentially gain unauthorized access. The team simulated hacked password manager servers in a controlled environment to test these possibilities.
The study identified:
- 12 potential attacks affecting Bitwarden
- 7 affecting LastPass
- 6 affecting Dashlane
Researchers described the severity of some vulnerabilities as surprising, noting that complex system architecture may have increased the attack surface.
Complexity and Legacy Cryptography
According to the researchers, efforts to improve usability — such as password recovery, account sharing, and backward compatibility — contributed to increasingly complex codebases.
Some systems relied on outdated cryptographic mechanisms to maintain compatibility with older setups. While this improves user convenience, it may weaken overall security.
The team recommended that password manager providers adopt the most up-to-date cryptographic standards for new users and offer existing customers the option to migrate to stronger systems while clearly communicating associated risks.
Researchers also urged companies to more accurately describe the security guarantees of their platforms instead of relying on broad claims.
Industry Response
All three companies acknowledged the research and published responses addressing the concerns.
Dashlane described the study’s methodology as useful and confirmed that it had fixed an issue involving legacy cryptography that could, in theory, allow code injection into secure vaults if a server were fully compromised. The company emphasized that exploiting the flaw would require a complete server takeover combined with highly sophisticated cryptographic attacks over an extended period.
Dashlane and LastPass stated there is no evidence the vulnerabilities have been exploited in real-world attacks. Bitwarden added that it has never suffered a security breach.
LastPass reassured customers that they can continue using the service normally but advised keeping browser extensions and apps updated to the latest versions.
Both Dashlane and Bitwarden highlighted that their source code is publicly available, which allows independent security audits and promotes transparency. Dashlane argued that open review strengthens overall security by holding companies accountable.
Broader Architectural Challenges
Some of the vulnerabilities relate to well-known challenges within encryption systems, including public key authentication in sharing features and transaction-based synchronization.
Dashlane noted that these issues are recognized across the encryption industry and that additional safeguards are already in place to mitigate risks. However, researchers argue that more robust cryptographic standards should be implemented moving forward.
Key Takeaway
While no active exploitation has been reported, the findings highlight how even widely trusted security tools can contain architectural weaknesses. The research underscores the importance of continuous cryptographic upgrades, transparency, and realistic security claims within the password management industry.
1 Comment
Leave a Reply
Related Articles
Fake Android Antivirus App TrustBastion Steals Banking Credentials and Sensitive Data
Fake Android Antivirus App TrustBastion Steals Banking Credentials A new Android malware...
Fake CAPTCHA Scam Deploys StealC Malware to Steal Passwords, Crypto, and Windows Data
Fake CAPTCHA Scam Tricks Windows Users Into Installing StealC Malware A new...
Keenadu Android Backdoor Embedded in Firmware Grants Hackers Full Control Over 13,000 Devices
Here is your rewritten article with all key points included, followed by...
Chinese State-Backed Hackers Exploit Critical Dell Zero-Day to Gain Stealthy Root Access Since 2024
Here is your rewritten article with all key points included, followed by...
This is an important wake-up call for anyone relying on password managers. Even trusted services like Bitwarden, LastPass, and Dashlane can have vulnerabilities, especially when balancing usability and security. Users should ensure their apps are up-to-date, enable all available security features, and follow best practices for account protection. Transparency and stronger cryptography are crucial for the industry to maintain trust.