Note how LastPass PR offloaded a ton of buzzwords here that don’t actually mean anything. They turned this kind of responses into an art. https://arstechnica.com/security/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true/
Bitwarden at least admits that a fully compromised server isn’t part of their threat model. It’s the same for LastPass, and in the past they’ve rejected vulnerability submissions based on that – there are a number of very simple ways in which a compromised server is able to access your “secure” vault. But they won’t admit it, hoping instead that the message will drown in the noise they produce.
For the sake of completeness: Dashlane’s response is merely generic. 1Password’s response is correct from what I can tell: the “compromised server” scenario has been considered and the risks arising from it are documented, nothing new here.
