Dashlane Details Brute-Force Attack Leading to Encrypted Vault Downloads
Password manager Dashlane disclosed a brute-force attack that compromised 2FA tokens, allowing attackers to download encrypted password vaults for fewer than 20 personal plan users.
Dashlane has revealed details of a sophisticated attack where threat actors successfully brute-forced two-factor authentication (2FA) tokens to register unauthorized devices and subsequently download encrypted password vaults. The incident, which occurred starting May 31, 2026, impacted fewer than 20 personal plan users, with Dashlane confirming no broader compromise of its internal systems.
The attackers specifically targeted Dashlane's device registration API. They launched a high-volume brute-force campaign, bombarding the API endpoints with automated requests aimed at guessing the 6-digit one-time tokens used for 2FA. While Dashlane's security controls did trigger account lockouts for targeted accounts, the attackers managed to exploit the device registration flow before the attack was fully contained.
This flow is initiated whenever a user adds a new device to their account. Upon successful 2FA verification, the device is registered, and a copy of the user's encrypted vault is automatically downloaded to it. By successfully brute-forcing valid 2FA tokens for a small subset of accounts, the attackers were able to authorize new devices and download encrypted vault copies without the legitimate account holders' knowledge.
Despite the exfiltration of these encrypted vaults, Dashlane emphasizes that the data remains inaccessible to the attackers. The company's zero-knowledge architecture ensures that vault contents are protected by the user's Master Password, which is never transmitted to Dashlane's servers in plaintext and is not stored by the company. The robust encryption stack, combining Argon2 with AES-256-CBC and HMAC-SHA256, makes brute-forcing the Master Password statistically infeasible.
Dashlane completed its investigation on June 4, 2026, and confirmed that no additional customers were affected beyond the initial group. The company has implemented several remediation measures. These include blocking the malicious traffic at the network level, reactivating affected user accounts, and deploying additional verification layers to the device registration process. Furthermore, API endpoint protections have been hardened to better detect and filter future malicious traffic.
This incident serves as a critical reminder that even robust password managers can be vulnerable at their authentication perimeter, rather than through direct compromise of their core encryption mechanisms. It underscores the importance of strong 2FA configurations and diligent Master Password hygiene as essential defensive measures for all users of such services.
The company has directly notified all affected users and provided guidance on securing their accounts. The investigation found no evidence of any compromise to Dashlane's internal infrastructure throughout the incident.