Password manager Dashlane explains how it suffered a cyberattack and had its encrypted password vault stolen.
On May 31, 2026, local time, the password manager '
Security advisory: Brute force attack on Dashlane user accounts – Dashlane
https://support.dashlane.com/hc/en-us/articles/36038764990866-Security-advisory-Brute-force-attack-on-Dashlane-user-accounts
Dashlane explains how attackers managed to download encrypted password vaults - Ars Technica
https://arstechnica.com/security/2026/06/dashlane-explains-how-attackers-managed-to-download-encrypted-password-vaults/
On May 31, 2026, Dashlane was subjected to a brute-force attack by an external third party against specific user accounts. The objective of the attack was to bypass two-factor authentication and register new devices to existing user accounts.
Dashlane's automated security system detected a brute-force attack on user accounts and automatically locked the targeted accounts. Upon receiving notification from the system, the Dashlane team began investigation and recovery efforts. While the attack temporarily suspended several user accounts, access to those accounts has been restored as of the time of writing.
The attacker successfully downloaded encrypted password vaults from fewer than 20 individual plan users. These users have already been notified. If you are a Dashlane user and have not received a message regarding the password vault, your account is not affected by the breach.
Dashlane's encrypted password vault is inaccessible without a master password. Furthermore, Dashlane claims that the encryption of the vault ensures that attempts to access it over extended periods are statistically extremely unlikely to succeed.
Dashlane announced that it will take measures to block traffic from threat actors, mitigate the risk of future incidents, and enhance system resilience.
Subsequently, on June 4th, Dashlane announced that it had completed its investigation into the incident. They stated that no further impact on Dashlane users had been confirmed, and no evidence had been found that their internal systems were affected.
The investigation revealed that the attack targeted the device registration flow, which is used to add devices such as mobile phones and computers to a user's Dashlane account.
When a user enables an additional device, Dashlane verifies the account owner's identity. This verification is completed by sending a 6-digit one-time token to the user's registered email address, or, for users who have two-factor authentication enabled, by verifying a 6-digit code generated by the authentication app. Once the user enters this code into the Dashlane app, Dashlane registers the device and downloads a copy of the encrypted password vault to the device.
To access the encrypted password vault, users must enter a master password to decrypt it. Without the master password, users cannot access the data in the password vault.
The attackers targeted the API endpoint for device registration, performing a brute-force attack and sending a large number of automated requests to the endpoint. In response, Dashlane's automated security system functioned as intended, automatically locking out targeted accounts and protecting users. Before the attack was completely contained, the attackers successfully launched a brute-force attack, generating valid tokens for fewer than 20 individual plan users and registering new devices to those accounts, thereby downloading the encrypted password vault.
Dashlane has implemented additional protection measures at the network level and within the product to detect and eliminate malicious traffic. In addition, they have announced that they have incorporated an additional layer of verification into the new device registration flow.
Related Posts:
in Software, Web Service, Security, Posted by logu_ii