Dashlane Brute-Force Attack Leads to Limited Encrypted Vault Downloads
Dashlane confirmed a brute-force attack on May 31, where attackers exploited 2FA weaknesses to download encrypted vaults of fewer than 20 personal plan users, though the company insists master passwords remain secure. The compromised accounts were locked and restored, with no evidence of internal system breaches, though phishing remains the only viable attack vector for obtaining master passwords.
Dashlane, a password management provider, reported on Monday that it suffered a brute-force attack beginning May 31. Attackers used automated software to rapidly guess 2FA codes, registering their own devices on targeted accounts to download encrypted vaults. The company detected the attack quickly and locked affected accounts, limiting the breach to fewer than 20 personal plan users. Dashlane emphasized that encrypted vault data cannot be accessed without the user’s master password, and encryption prevents unauthorized access. The company also stated that no internal systems were compromised, noting that phishing remains the only way for attackers to obtain master passwords. Affected users were notified, and their accounts were restored. Dashlane’s security advisory reassured users that the attack was isolated and did not impact its broader infrastructure. The incident follows recent high-profile breaches, including Carnival’s exposure of 6 million records and Charter Communications’ potential breach of nearly 5 million users. Dashlane’s response highlights the ongoing risks of brute-force attacks on multi-factor authentication systems.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.