Cloudless Software Blog

Today we are releasing Stellar Password Manager as an open beta on Android. No cloud account. No server. No tracking. Your passwords live on your device, encrypted with AES-256-GCM and keys derived from Argon2id. There is nothing stored on our servers because we do not have servers.

Earlier today we published a deep dive on the ETH Zurich study that developed 25 successful attacks against Bitwarden, LastPass, and Dashlane — the password managers used by 60 million people. Every single attack required a compromised central server. Every single one fails when there is no server to compromise. Read the full analysis →

Stellar is free during the beta. We would rather you try it, break it, and tell us what is wrong than find out after launch. If you have been waiting for a password manager that does not ask you to trust a company with your vault, this is it.

Get Stellar on Google Play →

Researchers at ETH Zurich developed 25 successful attacks against Bitwarden, LastPass, and Dashlane. Not theoretical. Not proof-of-concept. Successful. And every single one of them required a compromised central server — the same server that zero-knowledge encryption is supposed to make irrelevant.

We broke down all four attack categories: cryptographic downgrades that force modern apps to use encryption from the 1990s, integrity attacks that inject malicious content during sync, metadata leaks that expose what you store without cracking a single password, and sharing protocol exploits that hijack vault sharing. Then we showed why none of them work against a local-first architecture. The attack surface does not exist when there is no server in the loop.

This one matters. If you use a cloud-based password manager, or if you have been thinking about switching, read this first. Read the full article →

We put four offline password managers under the microscope: KeePass, Bitwarden, Enpass, and our own Stellar. Not a feature checklist. A look at how each one actually handles offline, where the architecture starts, and what that means when the Wi-Fi cuts out or the company behind the product disappears.

Used the Ink & Switch local-first software principles as the measuring stick, because somebody needed to. Turns out there is a real difference between “works offline” and “was built for offline.” We are biased and we say so upfront. Read it and decide for yourself. Read the full article →

Got another one of those “your cloud storage payment failed” emails this morning. You know the ones. Google logo, red banner, scary button. Sent from a Hotmail address, of course. So we did what we do best and pulled the thread: who sends these, what do they make, and why does it keep working?

Turns out a phishing campaign costs under $500 to run, the average payout per successful hit is over $125,000, and the FBI clocked $20.9 billion in cybercrime losses last year. The reason this particular scam works so well? 2.3 billion people use cloud storage. When everyone’s data is up there, everyone panics when they are told it might disappear. Unless, of course, your data is not up there. Then you just laugh and delete the email.

We wrote a deep dive on the whole thing: the economics, the organized crime syndicates behind it, and why cloud dependency is the vulnerability they are exploiting. Read the full article →

Something is shifting in the software world, and it is not another JavaScript framework.

Over the past two years a growing number of developers, researchers, and companies have started building software around a simple idea: your data should live on your device first, and everything else is optional. They call it local-first software. We call it common sense. But whatever you call it, the movement is gaining serious momentum, and the reasons behind it read like a summary of everything Cloudless Software has been saying since day one.

The concept is not brand new. In 2019, researchers at Ink & Switch published an essay called “Local-First Software: You Own Your Data, in Spite of the Cloud.” It laid out seven ideals for software that works offline, keeps data on the user’s device, and treats cloud synchronization as a convenience rather than a dependency. The essay circulated quietly among developers for years. Then the world started catching up.

In 2024, the first Local-First Conference drew hundreds of engineers to discuss these ideas in person. By early 2026, the conversation had moved from niche developer blogs to mainstream tech publications. Graham Miranda published “Why Local-First Software Is Making a Comeback (and What It Means for Privacy),” arguing that powerful devices and modern browser APIs have finally made offline-capable, client-centric applications practical at scale. Tech Champion ran a piece titled “Local-First Software Development Patterns for 2026: The End of Cloud-Only SaaS?” that referenced a manifesto signed by hundreds of software architects calling the industry’s reliance on central servers brittle, slow, and privacy-hostile. The DEV Community, Heavybit, and InfoWorld have all published pieces exploring why developers are rethinking the assumption that every application needs a server to function.

The timing is not accidental. The case against cloud-only software has been building for years, and 2025 made it impossible to ignore. Eighty-three percent of companies reported experiencing a cloud data breach. The average cost of a U.S. data breach reached ten million dollars. Seventy percent of businesses using SaaS applications reported losing data from those applications. Major outages cascaded across services that millions of people depend on daily, because single-cloud dependence had become a single point of failure. Every one of these incidents reinforced the same lesson: when everyone’s data lives in one place, everyone pays when something goes wrong.

The local-first approach inverts that model. When data lives on the user’s device, there is no centralized honeypot for attackers to target. There is no outage that takes down every user at once. There is no vendor shutdown that makes your data disappear overnight. The application works whether you have an internet connection or not, because the internet was never required in the first place. Synchronization, when it exists, happens in the background as a convenience. The device is the source of truth.

Privacy is the other half of the equation. Cloud-based SaaS applications typically require you to trust the provider with your data. You trust their encryption. You trust their employees. You trust their third-party integrations. You trust that they will not change their terms of service, get acquired by a company with different values, or simply go out of business and take your data with them. Local-first software eliminates most of those trust requirements. Your data sits on your hardware, encrypted by your keys. The provider never sees it. There is nothing to breach because there is nothing stored on their servers.

The developer community is not just talking about this. They are building it. New tools and frameworks for local-first development are appearing regularly. Conflict-free Replicated Data Types allow multiple devices to synchronize without a central server deciding who wins. Browser APIs like the Origin Private File System let web applications store gigabytes of data locally. The infrastructure that made cloud-only the default choice for a decade is being matched, piece by piece, by infrastructure that makes local-first viable for a much wider range of applications.

None of this surprises us. Cloudless Software was built on the principle that sensitive data belongs on your device, under your control, with no cloud dependency and no data collection. We did not call it local-first when we started. We just called it the right way to build software. It is encouraging to see the broader development community arriving at the same conclusion through independent research, real-world breach data, and hard lessons learned from a decade of putting everything in the cloud.

The cloud is not going away. It is good at plenty of things. But the assumption that every application must be cloud-dependent, that your data must live on someone else’s server to be useful, is being challenged by people who build software for a living. They are looking at the breach statistics, the outage reports, the vendor lock-in stories, and the privacy erosion, and they are choosing a different path. We have been on that path for a while now. It is nice to have company.

You cannot make this up.

Aura is one of the largest identity theft protection companies in the United States. Over a million customers pay them a monthly fee to monitor their personal data, alert them to threats, and keep their identities safe from hackers. Their website is full of reassuring language about advanced security, real-time monitoring, and keeping you one step ahead of cybercriminals. In March 2026, a hacking group called ShinyHunters breached Aura’s systems by making a phone call.

That is not a typo. A single social engineering call to one Aura employee was all it took. The attacker impersonated a trusted contact, asked for system access, and the employee handed it over. No sophisticated zero-day exploit. No nation-state hacking tool. Just a convincing voice on the other end of a phone line. In roughly sixty minutes — one hour — ShinyHunters pulled 900,000 records from Aura’s internal systems. Names, email addresses, home addresses, and phone numbers. The kind of data that identity thieves use to build profiles, craft targeted phishing attacks, and steal identities. Exactly the kind of data Aura is paid to protect.

When Aura refused to pay the ransom, ShinyHunters did what they always do. They dumped 12 GB of stolen data on their public leak site for anyone to download. ShinyHunters is not new to this game. They operate on a simple model: steal data, demand payment, publish if ignored. They have been linked to breaches at dozens of major companies over the past several years. Aura was just another name on the list.

Aura’s official response was measured. They said fewer than 20,000 active customers and 15,000 former customers had contact information exposed. The majority of the 900,000 records, they explained, were marketing contacts inherited from a company Aura acquired back in 2021. No Social Security numbers, no passwords, no financial data were part of the breach, according to the company. The subtext was clear: this was not that bad.

But that framing misses the real story. Whether it was 20,000 customers or 900,000 records, the breach happened. A company that sells security as its core product was compromised through one of the oldest tricks in the book. Social engineering is not a new attack vector. It is one of the first things any security company should train its employees to resist. If Aura’s own staff are vulnerable to a phone call, what does that say about the systems protecting your data?

This is the fundamental problem with centralized cloud services holding sensitive data. It does not matter how many layers of encryption you advertise, how many trust badges you put on your website, or how slick your dashboard looks. When all of your customers’ data lives in one place, the entire system is only as strong as its weakest human link. One bad decision by one employee on one afternoon, and the vault door swings open.

And this is not a one-off. Cloud-based services holding sensitive personal data are breached with alarming regularity. The business model itself creates the incentive for attackers. Why spend weeks trying to hack one person’s device when you can hack one company and get a million people’s data in a single afternoon? Centralized data is a centralized target. The payoff is massive because it is everyone’s data at once.

The irony here is thick enough to cut with a knife. Aura’s customers signed up specifically because they were worried about their personal data being exposed. They paid a monthly fee for peace of mind. And now their names, emails, home addresses, and phone numbers are sitting on a public leak site because the company they trusted to protect them got beaten by a phone call.

At Cloudless Software, we have always believed that your sensitive data belongs on your device, under your control. Not on someone else’s server, guarded by someone else’s employees, vulnerable to someone else’s mistakes. When data stays local, there is no centralized honeypot to attack, no million-record jackpot to chase, and no single point of failure that takes everyone down at once. Your data, your device, your control.

Most data breaches are a bad week. Maybe a bad month if the press picks it up. The company issues an apology, offers free credit monitoring, and everyone moves on. The LastPass breach is different. It has become a bad era — one that is still unfolding more than three years after the initial attack, with no end in sight.

Thirty million vaults stolen in 2022. Over $150 million in cryptocurrency drained from cracked vaults. Ongoing phishing campaigns targeting an anxious user base. And academic researchers at ETH Zurich proving the encryption architecture was flawed from the start. We wrote a full investigation into the breach, the ongoing fallout, and what it means for anyone still trusting a cloud-based password manager with their data.

Read the full article: Is LastPass Safe? →

Cloudless Software is celebrating its first software release of Zonality Host Management.

On February 1st 2024 we released Zonality v1.0 as a free application to both home and business users. Zonality is a free Windows Hosts File Editor. As part of our Cloudless mission we felt that managing hosts in your local network is an important feature. While many other good editors exist most are outdated or minimally useful. Zonality will grow in features to become the most feature rich, modern hosts file editor in the marketplace.

Zonality as a Windows Hosts File Editor will always be free. Zonality is also a base platform for our Host Management solution. Zonality-Pro will manage your local and remote hosts and sites enabling developers and other super users to access Hosts and Sites defined in Zonality to include secure credential management. Zonality-Pro release is expected sometime in 2025.

Please download Zonality from our Products page and enjoy the features of Zonality today.