TL;DRAttackers brute-forced Dashlane’s 2FA system to register new devices on fewer than 20 accounts, downloading their encrypted password vaults. The vaults remain encrypted with master passwords Dashlane never stores, but users with weak passwords face offline cracking risk.
Dashlane disclosed on Sunday that an external attacker launched a brute-force attack against its two-factor authentication system, successfully bypassing 2FA protections on fewer than 20 personal plan user accounts and downloading copies of their encrypted password vaults. The attack, which began on 31 May, triggered automatic account lockouts across a wider set of targeted users as Dashlane’s security controls detected the high volume of authentication attempts.
The method was straightforward. Attackers used automated software to rapidly submit every possible numeric combination for time-based 2FA codes, attempting to guess the correct sequence before each short-lived code expired. When successful, this allowed them to register a new device on the targeted account, which in turn gave them the access required to download the user’s encrypted vault from Dashlane’s servers.
What was taken and what it means
The encrypted vaults contain the user’s stored passwords, secure notes, and other credentials, but they are encrypted with the user’s master password, which Dashlane says is never sent to its servers in plaintext. The zero-knowledge architecture means that even with a copy of the vault, an attacker cannot access its contents without the master password. Dashlane states that its vault encryption “ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time.”
