breach🌐InternationalThe Hacker News
Cloud Password Managers Susceptible to Zero-Knowledge Encryption Attacks
Monday, February 16, 2026
What
Researchers uncovered multiple attack vectors against popular cloud password managers, exploiting weaknesses in their zero-knowledge encryption (ZKE) designs. This matters because these flaws could lead to the compromise of user vaults, including full password recovery, under a malicious server scenario.
Where
Bitwarden, Dashlane, LastPass, and 1Password are affected. These services collectively serve over 60 million users and 125,000 businesses globally.
When
Disclosed by a recent study from ETH Zurich and Università della Svizzera italiana.
Key Factors
- •The attacks exploit design anti-patterns and cryptographic misconceptions in ZKE implementations, not fundamental ZKE flaws, under a malicious server assumption.
- •Vulnerabilities stem from issues like flawed item-level encryption, problematic key escrow designs, insecure sharing features, and backwards compatibility with legacy code.
- •While 1Password acknowledged similar architectural limitations, Bitwarden, Dashlane, and LastPass have implemented or are actively implementing countermeasures to mitigate the identified risks.
Takeaways
- →Users of affected password managers should ensure their software is updated to the latest versions to benefit from implemented security patches.
- →Organizations should review their password manager policies, consider the implications of malicious server scenarios, and prioritize strong, unique master passwords.
Read Full Article
Opens original article on The Hacker News
