password managers
-
Study finds cloud password managers vulnerable to server-side recovery attacks
A technical analysis by ETH Zurich and Universit della Svizzera italiana found that Bitwarden, LastPass, and Dashlane are vulnerable to server-side password recovery attacks, with researchers detailing multiple attack types and vendor mitigations.
-
Password manager vendor warns of active phishing campaign urging 24 hour vault backups
A phishing campaign that began around January 19 2026 uses maintenance and backup lures to pressure users into creating local vault backups within 24 hours. The vendor advises never to disclose master passwords and is working to remove the malicious infrastructure.
-
UK data watchdog fines LastPass £1.2m after 2022 breach exposed data of up to 1.6m users
The UK Information Commissioner’s Office fined LastPass £1.2 million over a two-part 2022 breach that exposed personal data for up to 1.6 million UK users, finding failures in technical and organisational security including permissive account-linking policies and missed AWS alerts.
-
Google adds User Alignment Critic to Chrome to protect Gemini agentic browsing
Google is introducing a separate, isolated LLM called User Alignment Critic in Chrome to vet actions taken by Gemini-powered agentic browsing. The architecture also uses origin restrictions, user prompts for sensitive steps, prompt-injection detection and automated red-teaming; Google is offering bounties up to $20,000 and has not given a public rollout date.
-
Phishing campaign lures LastPass and Bitwarden users to install remote-access tools
A phishing campaign impersonating LastPass and Bitwarden is distributing a binary that installs the Syncro RMM agent and deploys ScreenConnect for remote access, researchers reported; LastPass says it was not breached and users are advised to ignore unsolicited alerts and verify notices on official channels.
-
High-severity authentication bypass patched in Passwordstate credential manager, vendor says
Click Studios has released a patch for Passwordstate to fix a high-severity authentication bypass vulnerability that could allow attackers to access the emergency access page and the admin area. The vulnerability affects Passwordstate deployments used by thousands of customers and security professionals, with a CVE identifier not yet assigned. The company has published a forum…
-
Researchers warn of DOM-based extension clickjacking in password managers
Security researchers at DEF CON 33 revealed a DOM-based extension clickjacking flaw affecting popular password-manager browser extensions, capable of stealing credentials, 2FA codes, and more with a single click on a malicious page; Bitwarden has issued a fix, and others are in progress, with guidance to disable auto-fill until patches are deployed.
