Researchers have found that password managers are vulnerable to attack.

Researchers from ETH Zurich analyzed Bitwarden, LastPass, Dashlane, and 1Password under the assumption of fully malicious servers, revealing multiple ways attackers could compromise user vaults. Attack methods targeted account recovery, SSO login, backward‑compatibility features, vault integrity weaknesses, and sharing mechanisms. Full vault compromise was demonstrated for Bitwarden and LastPass, with shared vault compromise shown for Dashlane and modification of stored credentials possible in many cases. Vendors have issued patches and mitigations, though some vulnerabilities remain difficult to address due to structural dependencies in server‑mediated encryption models.

Read more:

https://www.securityweek.com/password-managers-vulnerable-to-vault-compromise-under-malicious-server/