Cloudless Software Blog

Something is shifting in the software world, and it is not another JavaScript framework.

Over the past two years a growing number of developers, researchers, and companies have started building software around a simple idea: your data should live on your device first, and everything else is optional. They call it local-first software. We call it common sense. But whatever you call it, the movement is gaining serious momentum, and the reasons behind it read like a summary of everything Cloudless Software has been saying since day one.

The concept is not brand new. In 2019, researchers at Ink & Switch published an essay called “Local-First Software: You Own Your Data, in Spite of the Cloud.” It laid out seven ideals for software that works offline, keeps data on the user’s device, and treats cloud synchronization as a convenience rather than a dependency. The essay circulated quietly among developers for years. Then the world started catching up.

In 2024, the first Local-First Conference drew hundreds of engineers to discuss these ideas in person. By early 2026, the conversation had moved from niche developer blogs to mainstream tech publications. Graham Miranda published “Why Local-First Software Is Making a Comeback (and What It Means for Privacy),” arguing that powerful devices and modern browser APIs have finally made offline-capable, client-centric applications practical at scale. Tech Champion ran a piece titled “Local-First Software Development Patterns for 2026: The End of Cloud-Only SaaS?” that referenced a manifesto signed by hundreds of software architects calling the industry’s reliance on central servers brittle, slow, and privacy-hostile. The DEV Community, Heavybit, and InfoWorld have all published pieces exploring why developers are rethinking the assumption that every application needs a server to function.

The timing is not accidental. The case against cloud-only software has been building for years, and 2025 made it impossible to ignore. Eighty-three percent of companies reported experiencing a cloud data breach. The average cost of a U.S. data breach reached ten million dollars. Seventy percent of businesses using SaaS applications reported losing data from those applications. Major outages cascaded across services that millions of people depend on daily, because single-cloud dependence had become a single point of failure. Every one of these incidents reinforced the same lesson: when everyone’s data lives in one place, everyone pays when something goes wrong.

The local-first approach inverts that model. When data lives on the user’s device, there is no centralized honeypot for attackers to target. There is no outage that takes down every user at once. There is no vendor shutdown that makes your data disappear overnight. The application works whether you have an internet connection or not, because the internet was never required in the first place. Synchronization, when it exists, happens in the background as a convenience. The device is the source of truth.

Privacy is the other half of the equation. Cloud-based SaaS applications typically require you to trust the provider with your data. You trust their encryption. You trust their employees. You trust their third-party integrations. You trust that they will not change their terms of service, get acquired by a company with different values, or simply go out of business and take your data with them. Local-first software eliminates most of those trust requirements. Your data sits on your hardware, encrypted by your keys. The provider never sees it. There is nothing to breach because there is nothing stored on their servers.

The developer community is not just talking about this. They are building it. New tools and frameworks for local-first development are appearing regularly. Conflict-free Replicated Data Types allow multiple devices to synchronize without a central server deciding who wins. Browser APIs like the Origin Private File System let web applications store gigabytes of data locally. The infrastructure that made cloud-only the default choice for a decade is being matched, piece by piece, by infrastructure that makes local-first viable for a much wider range of applications.

None of this surprises us. Cloudless Software was built on the principle that sensitive data belongs on your device, under your control, with no cloud dependency and no data collection. We did not call it local-first when we started. We just called it the right way to build software. It is encouraging to see the broader development community arriving at the same conclusion through independent research, real-world breach data, and hard lessons learned from a decade of putting everything in the cloud.

The cloud is not going away. It is good at plenty of things. But the assumption that every application must be cloud-dependent, that your data must live on someone else’s server to be useful, is being challenged by people who build software for a living. They are looking at the breach statistics, the outage reports, the vendor lock-in stories, and the privacy erosion, and they are choosing a different path. We have been on that path for a while now. It is nice to have company.

You cannot make this up.

Aura is one of the largest identity theft protection companies in the United States. Over a million customers pay them a monthly fee to monitor their personal data, alert them to threats, and keep their identities safe from hackers. Their website is full of reassuring language about advanced security, real-time monitoring, and keeping you one step ahead of cybercriminals. In March 2026, a hacking group called ShinyHunters breached Aura’s systems by making a phone call.

That is not a typo. A single social engineering call to one Aura employee was all it took. The attacker impersonated a trusted contact, asked for system access, and the employee handed it over. No sophisticated zero-day exploit. No nation-state hacking tool. Just a convincing voice on the other end of a phone line. In roughly sixty minutes — one hour — ShinyHunters pulled 900,000 records from Aura’s internal systems. Names, email addresses, home addresses, and phone numbers. The kind of data that identity thieves use to build profiles, craft targeted phishing attacks, and steal identities. Exactly the kind of data Aura is paid to protect.

When Aura refused to pay the ransom, ShinyHunters did what they always do. They dumped 12 GB of stolen data on their public leak site for anyone to download. ShinyHunters is not new to this game. They operate on a simple model: steal data, demand payment, publish if ignored. They have been linked to breaches at dozens of major companies over the past several years. Aura was just another name on the list.

Aura’s official response was measured. They said fewer than 20,000 active customers and 15,000 former customers had contact information exposed. The majority of the 900,000 records, they explained, were marketing contacts inherited from a company Aura acquired back in 2021. No Social Security numbers, no passwords, no financial data were part of the breach, according to the company. The subtext was clear: this was not that bad.

But that framing misses the real story. Whether it was 20,000 customers or 900,000 records, the breach happened. A company that sells security as its core product was compromised through one of the oldest tricks in the book. Social engineering is not a new attack vector. It is one of the first things any security company should train its employees to resist. If Aura’s own staff are vulnerable to a phone call, what does that say about the systems protecting your data?

This is the fundamental problem with centralized cloud services holding sensitive data. It does not matter how many layers of encryption you advertise, how many trust badges you put on your website, or how slick your dashboard looks. When all of your customers’ data lives in one place, the entire system is only as strong as its weakest human link. One bad decision by one employee on one afternoon, and the vault door swings open.

And this is not a one-off. Cloud-based services holding sensitive personal data are breached with alarming regularity. The business model itself creates the incentive for attackers. Why spend weeks trying to hack one person’s device when you can hack one company and get a million people’s data in a single afternoon? Centralized data is a centralized target. The payoff is massive because it is everyone’s data at once.

The irony here is thick enough to cut with a knife. Aura’s customers signed up specifically because they were worried about their personal data being exposed. They paid a monthly fee for peace of mind. And now their names, emails, home addresses, and phone numbers are sitting on a public leak site because the company they trusted to protect them got beaten by a phone call.

At Cloudless Software, we have always believed that your sensitive data belongs on your device, under your control. Not on someone else’s server, guarded by someone else’s employees, vulnerable to someone else’s mistakes. When data stays local, there is no centralized honeypot to attack, no million-record jackpot to chase, and no single point of failure that takes everyone down at once. Your data, your device, your control.

Most data breaches are a bad week. Maybe a bad month if the press picks it up. The company issues an apology, offers free credit monitoring, and everyone moves on. The LastPass breach is different. It has become a bad era — one that is still unfolding more than three years after the initial attack, with no end in sight.

Let us rewind to 2022. Attackers compromised a LastPass developer’s machine and used that access to infiltrate LastPass’s development environment. From there, they made their way to backup storage and stole encrypted copies of customer password vaults. Not metadata. Not email addresses. The actual vaults — the encrypted files containing every password, every login, every secure note that millions of users had entrusted to LastPass. The crown jewels.

LastPass’s response at the time was reassuring. They told users the vaults were encrypted with AES-256, that cracking them would be virtually impossible, and that users with strong master passwords had nothing to worry about. The message was clear: your data is safe, even in the wrong hands.

They were wrong.

The problem with stealing encrypted vaults is that you have all the time in the world to crack them. There is no server to keep you out, no rate limiting, no lockout after failed attempts. You just download the vault and start guessing master passwords on your own hardware, at your own pace, using ever-improving tools. And that is exactly what happened.

Blockchain analytics firm TRM Labs has been tracking cryptocurrency thefts linked to cracked LastPass vaults. Their estimate: approximately $35 million in cryptocurrency stolen through 2025. That is not a typo. Thirty-five million dollars, taken from people who trusted LastPass to keep their crypto wallet seeds and private keys safe. Evidence points to Russian cybercriminal actors, with linked cryptocurrency exchanges receiving stolen funds as recently as October 2025. One breach in 2022 is still generating revenue for criminals in 2025 and beyond. Every year that passes, hardware gets faster and cheaper, and more vaults with weaker master passwords get cracked.

But the original breach is only part of the story. In January 2026, LastPass users were hit with a sophisticated phishing campaign. Fake emails, designed to look like official LastPass maintenance notifications, urged users to “back up their vaults” within 24 hours. The emails linked to convincing fake sites that harvested master passwords. This was not an isolated incident — it was the third such phishing campaign targeting LastPass users in just six months. Attackers know that LastPass users are anxious. They know the brand is damaged. And they are exploiting that anxiety to steal the one thing still protecting those vaults: the master password.

Then in February 2026, security researchers at ETH Zurich published a study that should have been the final nail in the coffin. They identified seven distinct security vulnerabilities in LastPass, demonstrating that the platform’s heavily marketed “zero-knowledge encryption” could be bypassed if the central server was compromised. The central server. The one that was already compromised in 2022. The researchers essentially proved that the architecture LastPass was built on had fundamental flaws — flaws that made the 2022 breach even more dangerous than LastPass had acknowledged.

Think about what this means for the average LastPass user. Your vault was stolen in 2022. Criminals have been cracking vaults ever since, stealing millions. Phishing campaigns are actively targeting you for your master password. And academic researchers have proven that the encryption protecting your vault was not as strong as you were told. At what point does the word “breach” stop being accurate? This is not a breach. It is a condition — an ongoing state of compromise that started over three years ago and shows no signs of ending.

This is the inherent risk of cloud-based password managers. When millions of vaults sit on one company’s servers, the breach is not a moment in time. The stolen data does not expire. It does not get stale. Passwords do not rot. The attackers have forever to work through what they stole, and every year their tools get better. Meanwhile, users are told to change their passwords and move on, as if the problem is solved. It is not. The vaults are still out there.

Stellar Password Manager was built on a fundamentally different premise. Your vault lives on your device. It is encrypted locally with your master password. There is no central server storing millions of vaults. There is no backup system that an attacker can raid for a million-vault jackpot. If someone wants your data, they need physical access to your device and your master password. The attack surface is one person — not one million.

We are not claiming that local storage is invincible. Nothing is. But the math is different. Hacking one person’s phone to get one person’s vault is a terrible return on investment for a criminal. Hacking one company’s servers to get millions of vaults is a career-making payday. As long as cloud password managers exist, they will be targets, because the economics of the attack demand it.

LastPass is not the exception. It is the inevitable result of putting everyone’s secrets in one basket and hoping nobody finds it. The basket was found in 2022. People are still paying for it in 2026. We think there is a better way.

Cloudless Software is celebrating its first software release of Zonality Host Management.

On February 1st 2024 we released Zonality v1.0 as a free application to both home and business users. Zonality is a free Windows Hosts File Editor. As part of our Cloudless mission we felt that managing hosts in your local network is an important feature. While many other good editors exist most are outdated or minimally useful. Zonality will grow in features to become the most feature rich, modern hosts file editor in the marketplace.

Zonality as a Windows Hosts File Editor will always be free. Zonality is also a base platform for our Host Management solution. Zonality-Pro will manage your local and remote hosts and sites enabling developers and other super users to access Hosts and Sites defined in Zonality to include secure credential management. Zonality-Pro release is expected sometime in 2025.

Please download Zonality from our Products page and enjoy the features of Zonality today.