brute force – Dashlane says hackers used a brute-force approach to overwhelm its two-factor authentication system, downloading encrypted password vault copies tied to around 20 users—without compromising Dashlane’s internal systems.
On the night Dashlane discovered the attack, it wasn’t the password vaults that worried the company first—it was the way the hackers tried to get around the gatekeeping layer designed to stop exactly that.
Dashlane. the maker of the Dashlane password manager. says several users’ password vaults were exposed as part of a “brute force attack.” The company estimates that hackers downloaded copies of the password vaults of around 20 users. Even so. Dashlane stresses that the vault data remains encrypted unless an attacker has access to a user’s Master Password.
The company says the attackers didn’t break into Dashlane’s internal systems to reach those vaults. Instead, it describes the assault as an attempt to “brute-force two-factor authentication (2FA) protections” so the attacker could register new devices on existing user accounts.
Dashlane’s own description is blunt about the method. It says the attackers likely used “automated software to rapidly submit every possible number combination” into Dashlane’s two-factor authentication system—essentially trial and error at the scale needed to overwhelm a protection built for time-sensitive codes sent over text or email.
In its status page update, Dashlane warned that the attack’s objective was not to unlock vault content directly, but to get through the login barrier in a way that would let fraudulent logins become “legitimate” enough to add devices.
Dashlane says its security controls automatically locked the accounts the hackers were targeting because of the high volume of login attempts. It also says users impacted by the attack have been notified, and that “traffic from threat actors has been blocked.”
The company adds that it has taken steps to mitigate the risk of future accidents. It still recommends that users review which devices are associated with their account, enable two-factor authentication, and use a stronger Master Password.
Engadget reached out to Dashlane for more information about the incident and prevention plans, and said it would update the report if more details are provided.
Dashlane password manager brute force attack two-factor authentication 2FA Master Password cybersecurity account security device verification
So the vaults were “encrypted” but like… how do we know? I feel like 20 is still way too many.
Typical. They say they didn’t “compromise internal systems” like that matters when the damage is already done. I bet some dev somewhere messed up the 2FA too.
Wait so they tried brute force on the 2FA and downloaded copies? Wouldn’t that mean they already had access to the master password? Or is the master password basically useless if someone can spam the login enough. Idk
This is why I just keep my passwords written on paper lol. They’re saying “automated software” guessed codes like the text/email thing is breakable, but the article also says it locked accounts so… which is it? Also why was 2FA even needed if they can register new devices anyway.