Dashlane brute-forced – Dashlane says hackers obtained at least a dozen encrypted password vaults during a weekend cyberattack, after brute-forcing its two-factor authentication system to access about 20 customer accounts. The company says it has found no evidence its own systems wer
On a weekend when most people are least likely to be watching their accounts. Dashlane says hackers broke through its two-factor authentication protections. The result. the password manager now says. was the theft of at least a dozen encrypted vaults containing customer passwords and other sensitive credentials.
In an update on its incident page. Dashlane said the attackers brute-forced its two-factor authentication system. which then granted them access to about 20 customer accounts. Defeating that 2FA mechanism allowed the hackers to download a copy of certain customers’ encrypted vaults—vaults Dashlane describes as scrambled and unreadable without the customer’s master password.
Dashlane’s statement is careful on one key point: it said there was no evidence of compromise of its own systems. But the company has not yet said how attackers were able to defeat its two-factor protections to access customer accounts in the first place.
Two-factor authentication is supposed to stop exactly this kind of intrusion. It’s designed to protect accounts from being accessed using just a stolen username and password by requiring an additional passcode—typically sent to the account holder’s phone. Dashlane says the attackers’ goal wasn’t simply to log in. In the company’s account of the attack. the objective was to “brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.”.
Dashlane describes how brute-forcing can be attempted in practice: automated software can “rapidly submit every possible numeric combination to the system, hoping to guess the exact sequence before the short-lived [two-factor] security code expires.”
For customers, the message is both reassuring and unsettling. The stolen vaults are scrambled. and Dashlane says the master password is only known by the customer and is not uploaded to Dashlane in plaintext. Still. Dashlane added that customers with an easily guessed master password may be at greater risk. because an attacker could potentially guess the master password and then decrypt the password vaults.
The company said it has notified the 20 or so customers whose encrypted vaults were stolen. It hasn’t said whether the customers were targeted for a reason—such as who they are or what they do for a living—and it also hasn’t said whether the attackers contacted Dashlane with demands. including ransom.
Dashlane also said it has “taken steps to mitigate the risk of future incidents,” without specifying what those steps are. Spokespeople did not respond to a request for comment.
What makes this incident land harder is the broader history of password manager attacks—because when these tools fail. the fallout can linger. Data breaches affecting password manager companies are rare. but LastPass confirmed in 2022 that customer password vault backups were stolen during a cyberattack. While those vaults were protected with passwords only known to the customer. LastPass said early customers’ password requirements were far weaker than the later standard. enabling hackers to brute-force and guess the passwords of some customers’ vaults. In the months afterward. there were multiple reports of hackers stealing large amounts of customers’ crypto. likely after private keys stored in stolen LastPass vaults had master passwords cracked following the breach.
A year before that, Australian software house Click Studios warned customers using Passwordstate to “reset all credentials” after hackers compromised its software update mechanism to plant malware on customer systems.
The common thread in those stories is that the attacker doesn’t need to read everything immediately. With enough time and the right foothold. stolen vaults can become useful later—whether through weaker password practices. compromised update paths. or. in Dashlane’s case. access achieved by defeating 2FA long enough to pull encrypted copies and attempt further steps.
For now. Dashlane says it has informed the affected customers and has taken steps to reduce the risk of future incidents. but it still hasn’t explained the missing piece: how its two-factor protections were defeated well enough to open the door to those accounts. Until that gap is closed, customers are left with a familiar, uncomfortable question—what, exactly, will attackers try next?.
Dashlane password manager two-factor authentication 2FA cyberattack encrypted vaults cybersecurity data breach brute-force incident page
So 2FA is basically useless then?
Wait they stole “encrypted vaults” but then it says it’s unreadable without the master password… so did the hack even matter? I feel like they’re just trying to scare people.
This sounds like one of those cases where the hackers didn’t break Dashlane, they broke the customers. Like if your phone number was leaked or whatever, then 2FA fails. Idk why they’re wording it like “no evidence of compromise” but people still got targeted.
“Brute-force 2FA” is wild. I saw another post that said SMS 2FA can be gamed if someone has SIM stuff, but the article doesn’t say how they did it. Also they say they registered new devices on existing accounts… so wouldn’t that mean Dashlane’s whole app trust model is screwed? Anyway I’m switching password managers just in case, even though it says the vaults were scrambled.