The companies responses are probably more important then the findings.

Dashlane published a comprehensive response, thanking the researchers, and said the infoseccers’ decision to test using a malicious server model represented “a useful exercise.”

The vendor also confirmed it had fixed the most serious issue

Which is what you want to hear. The worst of the issues has been fixed and they look like they want to improve things further.

Bitwarden, meanwhile, said in a post: “Bitwarden has never been breached and believes third-party security assessments like these are critical to continue providing state of the art security to individuals and organizations.”

Is less encouraging although not damning. Would be nicer to hear they are hardening things in case of a breach rather than just relying on not being breached. They could still be doing that though.

A LastPass spokesperson told The Reg: “Our Security team is grateful for the opportunity to engage with ETH Zurich and benefit from their research. While our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zurich team, we take all reported security findings seriously. We have already implemented multiple near‑term hardening measures while also establishing plans to remediate or reinforce the relevant components of our service on a timeline commensurate with the assessed risk.”

Is just terrible. Basically they don’t think they have a problem and have done nothing more then a token effort to fix the easiest of things. I believe they have been breached before as well which is also a bad sign. They just don’t seem to care about security at all. I would continue to recommend no one use last pass and everyone one switch away from it.