A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password recovery attacks under certain conditions. The attacks can range from minor integrity violations to complete compromise of all vaults in an organization. Researchers identified 12 distinct attacks against Bitwarden, seven against LastPass, and six against Dashlane.
These attacks exploit various vulnerabilities, including key escrow weaknesses, flawed item-level encryption, sharing features, and backwards compatibility issues. However, the three password managers have implemented countermeasures to mitigate the risks highlighted in the research.
1Password, another popular password manager, is also vulnerable to certain attacks but claims it treats these as known architectural limitations. The companies are committed to strengthening their security architectures and evaluating them against advanced threat models.
Despite the vulnerabilities, there is no evidence that any of these issues have been exploited in the wild. The affected companies plan to address the identified issues and improve their security measures.
Source: https://thehackernews.com/2026/02/study-uncovers-25-password-recovery.html