Dashlane Says Brute-Force Attack Let Attacker Download Encrypted Password Vaults of Fewer Than 20 Users

Dashlane said attackers used a brute-force campaign on May 31 to target the API endpoints that handle new-device registration. The automated requests generated valid tokens for fewer than 20 personal-plan accounts, allowing the threat actor to register a device on each account and download a copy of the encrypted vault before the attack was stopped.

The company’s automated security systems locked out the targeted accounts as soon as the volume of requests was detected.

Dashlane said the lockouts affected an unknown number of users and that no further impacts have been identified since the investigation concluded. Dashlane stated there is no evidence its internal systems were compromised. The downloaded vaults remained encrypted and cannot be opened without each user’s master password, which the company does not store on its servers.

During normal device registration, Dashlane sends a one-time six-digit code to the user’s registered email or requests a code from an authenticator app when two-factor authentication is enabled. Once the code is entered, the new device receives a copy of the encrypted vault. Dashlane contacted the affected users with instructions on credentials and account security.

The company has added extra verification steps to the device-registration flow and deployed additional network- and product-level filters to block malicious traffic. Dashlane advised all users to enable two-factor authentication. The investigation results were published June 5.