Researchers expose 25 recovery attacks against leading cloud password managers

February 17, 2026 at 12:10 AM

•

1 min read

Researchers expose 25 recovery attacks against leading cloud password managers — Photo: The Hacker News

TL;DR Summary

A joint ETH Zurich/USI study identifies 25 distinct password-recovery/related attacks across major cloud password managers (Bitwarden, Dashlane, LastPass; with 1Password also noted for some flaws). Attacks span four categories: exploiting key escrow in account recovery, weaknesses in item-level encryption and metadata, vulnerabilities in sharing features, and downgrades due to legacy code. In total, 12 attacks hit Bitwarden, 7 LastPass, and 6 Dashlane; 1Password was linked to item-level and sharing flaws as known limitations. Vendors have issued patches or mitigations (e.g., Dashlane removing legacy crypto, Bitwarden remediation, LastPass hardening, 1Password using SRP), and there’s no evidence these issues have been exploited in the wild.

Topics:business #cloud-security #cryptography #password-managers #security #security-research #zero-knowledge-encryption

Share this article

Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers The Hacker News
Password managers less secure than promised ETH Zürich
Password managers don’t protect secrets if pwned theregister.com
Exploitable Flaws Found in Cloud-Based Password Managers Bank Information Security
Swiss researchers find password manager security gaps SWI swissinfo.ch

Reading Insights

Total Reads

Unique Readers

Time Saved

4 min

vs 5 min read

Condensed

87%

807 → 103 words

Want the full story? Read the original article

Read on The Hacker News

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights