Note how LastPass PR offloaded a ton of buzzwords here that don’t actually mean anything. They turned this kind of responses into an art. https://arstechnica.com/security/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true/Bitwarden at least admits that a fully compromised server isn’t part of their threat model. It’s the same for LastPass, and in the past they’ve rejected vulnerability submissions based on that – there are a number of very simple ways in which a compromised server is able to access your “secure” vault. But they won’t admit it, hoping instead that the message will drown in the noise they produce.For the sake of completeness: Dashlane’s response is merely generic. 1Password’s response is correct from what I can tell: the “compromised server” scenario has been considered and the risks arising from it are documented, nothing new here. #LastPass #infosec
