Dashlane confirms password vault theft via brute force attack on two-factor authentication
The password manager provider states that while vaults were downloaded, data remains encrypted without the user’s Master Password and internal systems were not breached.
Dashlane has confirmed that approximately 20 user password vaults were stolen following a brute force attack targeting the company’s two-factor authentication (2FA) system. The password manager provider reported that threat actors utilised automated software to rapidly submit every possible number combination to guess passcodes, a method designed to register new devices on existing user accounts.
According to a status page documenting the incident, the attackers did not compromise Dashlane’s internal infrastructure. Instead, they focused on bypassing the 2FA layer, which typically requires a passcode sent via text or email in addition to standard login credentials. The company stated that its security controls automatically locked the targeted accounts due to the high volume of login attempts generated by the automated software.
Dashlane clarified that the stolen vault data remains encrypted and inaccessible without the user’s Master Password. While the attackers were able to download copies of the password vaults, the encryption ensures that the sensitive information within remains protected unless the specific decryption key is also obtained. The company has since blocked traffic from the threat actors and notified the affected users.
In response to the breach, Dashlane has taken steps to mitigate the risk of future incidents. The provider is recommending that users review which devices are associated with their accounts, ensure two-factor authentication is enabled, and utilise stronger Master Passwords. Engadget has contacted Dashlane for further details regarding preventive measures, though specific timelines for future security updates were not immediately available.
The incident highlights the vulnerabilities inherent in automated passcode guessing, even when primary login credentials remain secure. By focusing on the secondary authentication layer, attackers sought to gain footholds in user accounts without needing to crack complex passwords directly. Dashlane’s assertion that internal systems were not breached suggests the attack was confined to the authentication interface rather than the core data storage.
