Interesting paper and I agree with the researchers to consider full server compromise in scope for online password managers. Maybe I missed it, but I’d have liked a section on the response by vendors. Mistakes happen, but the response and actions taken are very important for (continued) trust in a vendor.