Researchers Expose Major Security Gaps in Leading Password Managers
Academic study from ETH Zurich reveals critical flaws in three major password managers, affecting 60 million users worldwide.
Dateline: February 17, 2026
60 Million Users at Risk: Study Exposes Flaws in Bitwarden, LastPass, and Dashlane
A team from ETH Zurich and Università della Svizzera italiana has identified 25 distinct attack methods that could compromise user passwords stored in Bitwarden, LastPass, and Dashlane—three of the most widely used cloud-based password managers.
The findings challenge vendor claims about "zero-knowledge encryption," where companies promise that even if their servers are breached, attackers can't access user data. The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane, affecting approximately 60 million users and nearly 125,000 businesses.
What Happened?
The research team set up their own servers that behave like hacked password manager servers, assuming the servers would act maliciously after a breach. They tested whether these platforms could withstand attacks when infrastructure was fully compromised.
The attacks fell into four categories: flaws in account recovery mechanisms, weaknesses in how individual passwords are encrypted, vulnerabilities in password-sharing features, and problems with backward compatibility for older encryption standards.
Most attacks required only routine user actions like logging in, opening a vault, viewing passwords, or syncing data—nothing suspicious that would raise red flags.
Kenneth Paterson, computer science professor at ETH Zurich, expressed surprise at the results. "We were surprised by the severity of the security vulnerabilities. Since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before", he stated.
What's the Impact?
The vulnerabilities range from allowing attackers to modify specific passwords to completely compromising all passwords within an organization's vault. Seven of Bitwarden's 12 successful attacks led to password disclosure, whereas only three of LastPass's attacks led to the same end, and one for Dashlane.
One particularly concerning attack targeted Bitwarden's organization onboarding process, where an adversary controlling the server could silently hijack a user's vault the moment they accepted an invitation, even from a trusted source.
The researchers noted a troubling pattern: many vendors still support outdated encryption methods from the 1990s. Developers are hesitant to update their systems because they worry customers could lose access to passwords and other personal data.
All three companies were notified following responsible disclosure protocols. Bitwarden received notice in January 2025, LastPass in June 2025, and Dashlane in August 2025. Dashlane patched an issue where a successful compromise of its servers could have allowed a downgrade of the encryption model, with the fix released in Dashlane Extension version 6.2544.1 in November 2025.
There's no evidence these vulnerabilities have been exploited in the wild, though the researchers couldn't rule out the possibility that advanced threat actors already knew about these attacks.
How to Avoid This
If you rely on a password manager, don't panic—the researchers still recommend using one. Matilda Backendal, one of the study's authors, confirmed, "My recommendation is still to use a password manager, and I don't think users should be afraid of cloud-based ones".
Here's what you should do:
Choose audited providers. Paterson recommends choosing a password manager that is transparent about potential security vulnerabilities, undergoes external audits and has end-to-end encryption enabled by default.
Verify vendor response. Check if your password manager provider has addressed the findings. Bitwarden stated that seven issues have been resolved or are in active remediation. LastPass implemented multiple hardening measures, while Dashlane removed support for legacy cryptography.
Stay informed. The researchers plan to present their full findings at the USENIX Security Symposium in Baltimore in August 2026. Watch for updates from your password manager provider about security improvements.
Consider alternatives. If your provider was slow to respond or hasn't communicated fixes clearly, you might want to evaluate other options that prioritize transparency and regular security audits.
The bottom line: password managers remain far safer than reusing passwords or writing them down. This research serves as a wake-up call for the industry to deliver on its security promises rather than a reason to abandon password managers altogether.
