Dashlane Says Hackers Brute-Forced 2FA on ~20 Accounts and Downloaded Encrypted Password Vaults

Hackers obtained at least a dozen encrypted password vaults from Dashlane customers during a weekend cyberattack. The company said the attackers accessed about 20 customer accounts by defeating its two-factor authentication system. Dashlane stated that the attackers used automated software to submit every possible numeric combination to the two-factor system in an attempt to guess the correct code before it expired.

Once the mechanism was bypassed, the attackers registered new devices on the accounts and downloaded copies of the encrypted vaults. The company said there was no evidence that its own systems were compromised. Dashlane has not disclosed how the attackers defeated the two-factor protections.

Dashlane has notified the 20 or so affected customers. The stolen vaults remain scrambled and cannot be read without each customer’s master password, which is known only to the customer and is never uploaded to the company in plaintext. Dashlane warned that customers who use an easily guessed master password face greater risk that their vaults could be decrypted.

The company said it has taken steps to reduce the chance of similar incidents but did not describe those measures. Data breaches at password manager companies remain uncommon. In 2022, LastPass confirmed that customer password vault backups were stolen in a cyberattack.

Early LastPass customers operated under weaker password requirements than later standards, allowing some master passwords to be guessed. A year before the LastPass incident, Australian software company Click Studios told all Passwordstate customers to reset their credentials after attackers compromised the company’s software update system and installed malware on customer devices.