25 Critical Vulnerabilities Found in Major Password Managers: What You Need to Know

Researchers from ETH Zurich uncovered 25 distinct attack vectors across Bitwarden, LastPass, and Dashlane — affecting over 60 million users and 125,000 businesses. Here's what happened, which managers are safe, and what you should do right now.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What the Researchers Found

In February 2026, security researchers from ETH Zurich and Università della Svizzera italiana published findings that sent shockwaves through the cybersecurity community. After systematically auditing three of the world's most popular cloud-based password managers, they identified 25 distinct attack vectors that could compromise user vaults.

The breakdown was alarming:

• Bitwarden: 12 vulnerabilities discovered, including integrity violations that could allow attackers to modify stored credentials
• LastPass: 7 vulnerabilities, adding to the platform's already troubled security track record
• Dashlane: 6 vulnerabilities, ranging from vault integrity issues to potential credential exposure

The attacks ranged from targeted integrity violations of individual user vaults to a worst-case scenario: total compromise of all vaults associated with an entire organisation.

Why This Matters More Than You Think

Password managers are supposed to be the last line of defence for your digital identity. When security professionals recommend using a password manager — and they universally do — the assumption is that the vault itself is cryptographically secure. These findings challenge that assumption.

The 60 million individual users and 125,000 businesses relying on these three platforms collectively trust them with everything: banking credentials, healthcare logins, corporate infrastructure access, personal email, and more. A vulnerability in a password manager isn't like a vulnerability in a photo app — it's a skeleton key to someone's entire digital life.

How the Attacks Work

Without getting too deep into the cryptographic weeds, the vulnerabilities fall into several categories:

1. Password Recovery Exploitation

Several attacks targeted the password recovery mechanisms. Cloud-based password managers need a way to help users regain access if they forget their master password, but these recovery pathways can introduce cryptographic weaknesses that attackers can exploit.

2. Vault Integrity Violations

Some attacks allowed modification of vault contents without the user's knowledge. An attacker could potentially change a stored URL (so you log into a phishing site) or alter stored credentials — all while the vault appears normal to the user.

3. Organisational Vault Compromise

The most severe attacks targeted shared organisational vaults. In enterprise environments where teams share credentials, a single compromised account could cascade to expose every password shared across the organisation.

Which Password Managers Weren't Affected?

Notably, not all password managers were vulnerable. The research specifically tested cloud-based managers that sync credentials across devices. The study found that NordPass, which uses a different cryptographic architecture built on XChaCha20 encryption, was not included among the vulnerable platforms.

NordPass takes a zero-knowledge approach where encryption and decryption happen exclusively on the user's device. The service never has access to your master password or the decrypted contents of your vault — which structurally prevents several of the attack categories identified by the researchers.

What Bitwarden, LastPass, and Dashlane Have Done

To their credit, all three companies responded to the responsible disclosure:

• Bitwarden has implemented countermeasures addressing the 12 identified attack vectors
• Dashlane deployed patches mitigating the 6 vulnerabilities
• LastPass has updated its security model to address the 7 reported issues

There is currently no evidence that any of these vulnerabilities were exploited in the wild before the patches were deployed. However, the window between discovery and disclosure means the risk was real.

16 Billion Passwords Already Exposed

These password manager vulnerabilities arrive against a grim backdrop. Cybernews researchers recently reported that 16 billion passwords have been exposed through data breaches and infostealer malware in 2026 alone. The credential theft economy is booming, with stolen logins fuelling ransomware attacks, account takeovers, and identity fraud at unprecedented scale.

This makes your choice of password manager more critical than ever. Using a compromised or weak password manager is arguably worse than using no manager at all — because it creates a single point of failure containing all your credentials.

What You Should Do Right Now

Regardless of which password manager you use, take these steps immediately:

1. Update your password manager to the latest version. All three affected platforms have released patches.
2. Change your master password if you use Bitwarden, LastPass, or Dashlane. Choose a strong, unique passphrase of at least 16 characters.
3. Enable two-factor authentication on your password manager account. This adds a second layer even if the vault is compromised.
4. Audit your shared vaults if you use organisational sharing. Review who has access and whether any credentials have been unexpectedly modified.
5. Consider switching to a password manager with a stronger security architecture. NordPass uses XChaCha20 encryption with a zero-knowledge architecture, and is backed by the same security team behind NordVPN.

Layered Security: Don't Rely on Passwords Alone

A password manager is one layer of a proper security stack. In 2026, with ransomware groups increasingly using stolen credentials as their primary intrusion method, you need multiple layers:

• Encrypted internet traffic: A VPN like NordVPN prevents credential interception on public networks and shields your browsing from ISP surveillance
• Secure credential storage: A zero-knowledge password manager like NordPass generates and stores unique passwords for every account
• Website protection: If you run websites, a web application firewall like Sucuri blocks credential-stuffing attacks before they reach your login pages
• Software updates: Keep everything patched — the Glasswing disclosures revealed that unpatched software remains the number one attack surface

The Bigger Picture

These password manager vulnerabilities highlight a broader truth about cybersecurity in 2026: no single tool is a silver bullet. The companies that built Bitwarden, LastPass, and Dashlane employ talented security engineers. The researchers who found these flaws are among the best in the world. If they can find 25 vulnerabilities in widely trusted software, imagine what state-sponsored attackers are finding in software that hasn't been audited.

The lesson isn't to stop using password managers — they're still far better than reusing passwords or keeping them in a spreadsheet. The lesson is to choose tools with strong cryptographic foundations, keep them updated, and never rely on a single layer of security.