#Tag · bonfire.cafe

🚨 New research from ETH Zurich has found that popular password manager's zero-knowledge encryption claims don't fully hold up if their servers are compromised. ⚠️

🔑 LastPass, Dashlane & Bitwarden were identified as being affected, this is significant because cloud password managers commonly claim that their user's data would be unaffected if they were compromised. 👾

#privacy #security #passwordmanager

https://www.theregister.com/2026/02/16/password_managers/

Password managers don’t protect secrets if pwned

: Researchers demo weaknesses affecting some of the most popular options

Privacy Guides

@privacyguides@mastodon.neat.computer · last week

✅ Dashlane & Bitwarden promptly issued fixes.

❌ LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zürich team."

💡In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.

The best time to switch from LastPass was yesterday; the second best is today. 🗑️

Here's what we recommend ⬇️

#lastpass #security

Dan Goodin boosted

Yellow Flag

@WPalant@infosec.exchange · last week

Note how LastPass PR offloaded a ton of buzzwords here that don’t actually mean anything. They turned this kind of responses into an art. https://arstechnica.com/security/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true/

Bitwarden at least admits that a fully compromised server isn’t part of their threat model. It’s the same for LastPass, and in the past they’ve rejected vulnerability submissions based on that – there are a number of very simple ways in which a compromised server is able to access your “secure” vault. But they won’t admit it, hoping instead that the message will drown in the noise they produce.

For the sake of completeness: Dashlane’s response is merely generic. 1Password’s response is correct from what I can tell: the “compromised server” scenario has been considered and the risks arising from it are documented, nothing new here.

#LastPass #infosec

Ars Technica

Password managers' promise that they can't see your vaults isn't always true

Contrary to what password managers say, a server compromise can mean game over.

Yellow Flag

@WPalant@infosec.exchange · last week

#LastPass #infosec

Ars Technica

Password managers' promise that they can't see your vaults isn't always true

Contrary to what password managers say, a server compromise can mean game over.

Sascha Foerster :bonndigital: boosted

Martin Steiger 🚀

@martinsteiger@chaos.social · 2 weeks ago

#Bitwarden, #Dashlane und #LastPass mit Sicherheitslücken! 🚨

ETH-Forscher haben diese drei Passwort-Manager unter die Lupe genommen und das Ergebnis ist unerfreulich:

«Forschende der ETH Zürich haben bei drei populären, cloudbasierten Passwortmanagern gravierende Sicherheitslücken entdeckt. In Tests konnten sie gespeicherte Passwörter einsehen und sogar verändern.»

https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html

ETH Zürich

Passwortmanager bieten weniger Schutz als versprochen

Forschende der ETH Zürich haben bei drei populären, cloudbasierten Passwortmanagern gravierende Sicherheitslücken entdeckt. In Tests konnten sie gespeicherte Passwörter einsehen und sogar verändern.

Martin Steiger 🚀

@martinsteiger@chaos.social · 2 weeks ago

#Bitwarden, #Dashlane und #LastPass mit Sicherheitslücken! 🚨

ETH-Forscher haben diese drei Passwort-Manager unter die Lupe genommen und das Ergebnis ist unerfreulich:

https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html

ETH Zürich

Passwortmanager bieten weniger Schutz als versprochen

Esparta :ruby:

@esparta@ruby.social · last month

I just learnt that #1Password dunks in #LastPass if you migrate your vault

This is the first time a retrieve one of the secrets... and I was received with a big red square that reads:

> Imported from LastPass

> LastPass suffered a data breach in August 2022. Change your password to keep your account safe.

- Change password on website
- Ignore

An screenshot of my #1Password, which our $CURRENT_EMPLOYER just recently migrated from #LastPass

in big red square it reads:

Imported from LastPass

LastPass suffered a data breach in August 2022. Change your password to keep your account safe.

< two buttons>

- Change password on website
- Ignore — An screenshot of my #1Password, which our $CURRENT_EMPLOYER just recently migrated from #LastPass in big red square it reads: Imported from LastPass LastPass suffered a data breach in August 2022. Change your password to keep your account safe. < two buttons> - Change password on website - Ignore

Em :official_verified: and 3 others boosted

Neil Brown

@neil@mastodon.neilzone.co.uk · 3 months ago

UK data protection fine for password manager LastPass:

> Password manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/

#GDPR #DataProtection #LastPass

Neil Brown

@neil@mastodon.neilzone.co.uk · 3 months ago

UK data protection fine for password manager LastPass:

> Password manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/

#GDPR #DataProtection #LastPass

Natha

@natha@fosstodon.org · 6 months ago

Are you using a password manager from
@1password, @bitwarden, @dashlane, #EnPass, #iCloud Passwords, @KeeperSecurity, #LastPass, @nordpass @protonprivacy or @roboform ?

Then you better check this and make sure that your web browser extension is up to date: https://marektoth.com/blog/dom-based-extension-clickjacking/

#cybersecurity #InfoSec #passwords #PasswordManager