Cybercrime

Dashlane Brute-Force Attack Leads to Limited Encrypted Vault Downloads

Dashlane’s security systems automatically locked accounts to protect them against the hacking attempts.

Password manager security

Password management and credential security solutions provider Dashlane revealed on Monday that it has been targeted in a brute-force attack campaign that resulted in a limited number of encrypted vaults being downloaded by the attackers.

According to Dashlane, the attack began on May 31, with attackers attempting to brute-force 2FA to register their own devices on targeted accounts. 

The hackers, the company said, used automated software to “rapidly submit every possible numeric combination to the system, hoping to guess the exact sequence before the short-lived security code expires”.

Registering a device gives the attacker the access required to download the targeted user’s encrypted vault from Dashlane servers.

The attack was quickly detected and the targeted accounts were automatically locked to limit impact. 

However, Dashlane said the attackers did manage to compromise some accounts. The threat actor downloaded a copy of the encrypted vaults belonging to fewer than 20 personal plan users. 

Advertisement. Scroll to continue reading.

“Dashlane vault data cannot be accessed without the Master Password, and our vault encryption ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time,” Dashlane said

The company noted that the only way for an attacker to obtain a user’s master password is through phishing.

The locked accounts have since been restored and affected users have been notified.

“There is no evidence that Dashlane’s internal system has been impacted,” Dashlane said.

Related: Carnival Data Breach Exposed 6 Million People

Related: Charter Communications Data Breach Could Impact Nearly 5 Million

Related: 185,000 Likely Impacted by 7-Eleven Data Breach

Related Content

Identity & Access

SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts.

Data Protection

Researchers at ETH Zurich have tested the security of Bitwarden, LastPass, Dashlane, and 1Password password managers.

Application Security

GitHub will implement local publishing with mandatory 2FA, granular tokens that expire after seven days, and trusted publishing.

Network Security

The company sent a new preferences file to less than 5% of customers, urging them to import it into firewalls and reset their passwords.

Data Protection

A researcher has tested nearly a dozen password managers and found that they were all vulnerable to clickjacking attacks.

Nation-State

Iranian threat actors use brute force techniques in attacks against critical infrastructure organizations, the US, Australia, and Canada warn.

Cybersecurity Funding

European password management startup Uniqkey has raised €5.35 million (~$5.9 million) from BackingMinds.

Malware & Threats

Cisco has observed an increase in brute-force attacks targeting web application authentication, VPNs, and SSH services.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version