Password manager Dashlane has confirmed that attackers brute-forced its two-factor authentication system during a weekend cyberattack, gaining access to roughly 20 customer accounts and exfiltrating at least a dozen encrypted password vaults. The company disclosed the incident on its status page and says its own internal systems were not compromised, though it has yet to explain how its 2FA protections were defeated.
What Happened
Over the weekend, threat actors targeted Dashlane's customer-facing authentication layer with automated 2FA brute-force tooling. By rapidly cycling through every possible numeric combination before short-lived one-time codes expired, the attackers were able to register new devices on existing user accounts. That device-registration step is what unlocked vault access, allowing the adversary to download encrypted vault copies tied to roughly 20 victim accounts. Dashlane has notified affected customers and says it has "taken steps to mitigate the risk of future incidents," without detailing what those mitigations entail.
What Was Taken
At least a dozen encrypted customer vaults were exfiltrated. These vaults contain stored passwords and other sensitive credentials such as secure notes, payment data, and recovery codes. The vaults remain encrypted with each customer's master password, which Dashlane says is never uploaded in plaintext and is known only to the user. However, customers using weak, short, or guessable master passwords face elevated risk of offline brute-force decryption of the stolen vault blobs. It is not yet known whether the 20 targeted customers were selected for who they are, what they do, or simply because their accounts were vulnerable.
Why It Matters
Password manager breaches are rare but disproportionately damaging because a single compromised vault can cascade into dozens of downstream account takeovers, including email, banking, cloud infrastructure, and cryptocurrency wallets. The 2022 LastPass incident is the cautionary template: attackers exfiltrated encrypted vault backups, and weak master passwords among early customers led to documented losses, including large-scale cryptocurrency theft that continues to surface years later. Stolen vaults do not expire. Even if a customer rotates every credential today, attackers retain an offline copy they can keep grinding against indefinitely as compute and cracking techniques improve.
The Attack Technique
Dashlane describes the technique as automated brute-forcing of the 2FA numeric code window. Standard TOTP codes are six digits with a 30-second validity window, which makes the search space small enough that an unthrottled or weakly throttled endpoint can be exhausted before expiry. The critical unanswered question is why Dashlane's rate-limiting, lockout, or anomaly detection failed to stop high-velocity code submission against the device-enrollment flow. The pattern: defeat 2FA, register a new device, pull down the vault blob for offline cracking against the master password. The vault itself is end-to-end encrypted, so the attack value lives in the post-exfiltration cracking phase.
What Organizations Should Do
- Rotate high-value credentials in any Dashlane vault, prioritizing crown-jewel accounts, crypto wallet seeds, SSH keys, and federated identity providers. Treat the vault contents as potentially crackable.
- Strengthen master passwords immediately, moving to long passphrases (20+ characters) or hardware-backed authentication where supported. Master password strength is now the only thing standing between victims and full credential exposure.
- Migrate from TOTP to phishing-resistant authentication (FIDO2/WebAuthn hardware keys) for password manager logins and other high-value accounts wherever supported.
- Audit your own authentication endpoints for rate-limiting on 2FA code submission and device-enrollment flows. Verify that velocity anomalies trigger lockout, not just logging.
- Review device-enrollment notifications and logs for any vault account, looking for unfamiliar device registrations over the past 30 days.
- Update incident response playbooks to assume long-tail exposure from stolen encrypted vaults, including future credential rotation triggers if cracking advances are reported.
Sources: Password manager Dashlane says hackers stole some customers' password vaults