Dashlane has disclosed that attackers were able to download copies of encrypted password vaults for a small subset of users during a brute-force attack that targeted customer accounts over the weekend.
The company says the incident did not involve a breach of its internal systems and that the stolen vaults remain protected by users' master passwords.
The disclosure comes a day after Dashlane confirmed that an external party had launched a large-scale brute-force campaign against certain customer accounts, triggering account suspension emails, unusual login notifications, and authentication issues for many users.
According to a security advisory published by Dashlane on June 1, the attack began on May 31 and specifically targeted the service's two-factor authentication (2FA) protections. The attackers attempted to guess temporary authentication codes through automated brute-force attacks to register new devices to existing Dashlane accounts.
The campaign generated a high volume of authentication requests, causing Dashlane's automated security controls to lock targeted accounts. Users subsequently received account suspension notifications and, in some cases, experienced login difficulties while the company investigated the activity.
While the company initially described the incident as a brute-force attack against user accounts, the newly published FAQ reveals that attackers successfully obtained copies of encrypted vaults belonging to a small number of customers.
“In those few cases, the attackers were only able to copy the encrypted vault, which requires the master password to unlock,” Dashlane said.
The company stated that all affected users have been notified directly. Dashlane emphasized that customers who did not receive a specific notification regarding vault exposure were not impacted by the vault-copying aspect of the incident.
According to the advisory, fewer than 20 personal plan users had their encrypted vaults downloaded.
The company maintains that vault contents remain protected because Dashlane's architecture encrypts data before it is stored on company servers. Master passwords are not transmitted to Dashlane in plaintext, meaning attackers cannot retrieve them directly from the service.
However, possession of an encrypted vault enables attackers to conduct offline password-cracking against the vault's data. The success of such efforts largely depends on the strength and uniqueness of the user's master password. Dashlane argues that its encryption model makes successful cracking attempts “statistically unlikely to succeed, even over a long period of time.”
Dashlane also reiterated that there is currently no evidence its internal infrastructure was breached during the incident, describing the attack as one directed at individual customer accounts rather than company systems.
As part of its response, the company says it blocked malicious traffic, restored access to suspended accounts, and implemented additional mitigations designed to reduce the risk of similar attacks in the future. Some customers had temporarily been prevented from adding new devices or logging into their accounts while the investigation was underway. The investigation remains ongoing.
Users are advised to review the list of devices associated with their Dashlane accounts and remove any that are unfamiliar. Those who have not enabled two-factor authentication should do so immediately. While Dashlane says most users do not need to change the passwords stored in their vaults, anyone who suspects their master password is weak, reused, or easily guessed should update it as soon as possible.
Leave a Reply