Researchers expose 25 recovery attacks against leading cloud password managers
A joint ETH Zurich/USI study identifies 25 distinct password-recovery/related attacks across major cloud password managers (Bitwarden, Dashlane, LastPass; with 1Password also noted for some flaws). Attacks span four categories: exploiting key escrow in account recovery, weaknesses in item-level encryption and metadata, vulnerabilities in sharing features, and downgrades due to legacy code. In total, 12 attacks hit Bitwarden, 7 LastPass, and 6 Dashlane; 1Password was linked to item-level and sharing flaws as known limitations. Vendors have issued patches or mitigations (e.g., Dashlane removing legacy crypto, Bitwarden remediation, LastPass hardening, 1Password using SRP), and there’s no evidence these issues have been exploited in the wild.