Dashlane brute-force – Several Dashlane users were locked out after brute-force login attempts triggered the company’s built-in security response. Dashlane later said the affected accounts were unsuspended, denied any evidence of compromise, and pointed to an automated defense again
For some Dashlane users, the day started with an email that felt like trouble—even though they hadn’t asked for anything. The messages contained verification codes for device registration and were linked to suspicious access requests coming from foreign countries.
On Reddit, people described confusion and suspicion. They weren’t the ones initiating new logins, and they couldn’t shake the fear that the codes might be part of a phishing attempt aimed at Dashlane accounts.
A few hours later, Dashlane’s response landed directly on those threads: its systems were safe, and the activity was triggered by brute-force attacks. The company said the lockouts were part of an automated security response designed to protect customers from account hijacking.
In a statement. Jordan Fylolenko. Dashlane Senior Director of Corporate Communications. said. “We can confirm that certain Dashlane user accounts were targeted in a brute force attack by an external party. resulting in the suspension of those accounts as part of Dashlane’s built-in security controls. The affected accounts have now been unsuspended.”.
Fylolenko added, “Our team is actively engaged in this issue and taking measures to further protect customers. There is no evidence of compromise of Dashlane’s systems.”
The mechanism matters because brute-force attacks are designed to wear down defenses. They attempt logins repeatedly, trying multiple passwords in succession until the correct combination is found. Secure platforms typically rely on protections like rate limiting. CAPTCHA challenges. and account lockouts to stop automated attacks after a threshold of failed attempts.
Dashlane’s timeline then sharpened the picture. On its status page, the company said an investigation into the incident was launched on May 31 at 15:19 UTC. By 22:30 UTC the issue was marked “RESOLVED,” with a claim that all affected accounts had been unsuspended.
On June 1 at 07:32 UTC, Dashlane issued another update confirming the same status. It said its team was monitoring the situation and implementing additional targeted measures.
Still, the sense of uncertainty didn’t fully disappear. Even with the status page flagging the incident as resolved, some users continued to report login problems, saying support was unresponsive.
BleepingComputer asked Dashlane additional questions about the incident—including the number of impacted accounts—but the company had not provided a response as of publication.
Taken together, the sequence explains why the incident felt so personal for users: the very safeguards meant to prevent hijacking sent confusing alerts to people who didn’t trigger device registration requests in the first place.
Dashlane password manager brute force attack account lockout account hijacking suspicious access requests verification codes cybersecurity