TL;DR
Attackers brute-forced Dashlane’s 2FA system to register new devices on fewer than 20 accounts, downloading their encrypted password vaults. The vaults remain encrypted with master passwords Dashlane never stores, but users with weak passwords face offline cracking risk.
Dashlane disclosed on Sunday that an external attacker launched a brute-force attack against its two-factor authentication system, successfully bypassing 2FA protections on fewer than 20 personal plan user accounts and downloading copies of their encrypted password vaults. The attack, which began on 31 May, triggered automatic account lockouts across a wider set of targeted users as Dashlane’s security controls detected the high volume of authentication attempts.
The method was straightforward. Attackers used automated software to rapidly submit every possible numeric combination for time-based 2FA codes, attempting to guess the correct sequence before each short-lived code expired. When successful, this allowed them to register a new device on the targeted account, which in turn gave them the access required to download the user’s encrypted vault from Dashlane’s servers.
What was taken and what it means
The encrypted vaults contain the user’s stored passwords, secure notes, and other credentials, but they are encrypted with the user’s master password, which Dashlane says is never sent to its servers in plaintext. The zero-knowledge architecture means that even with a copy of the vault, an attacker cannot access its contents without the master password. Dashlane states that its vault encryption “ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time.”
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
That assurance holds only if the affected users chose strong, unique master passwords. If any of the fewer than 20 users whose vaults were downloaded used weak or reused master passwords, those vaults could be cracked offline using dictionary attacks or brute-force methods. Credential stuffing attacks, which use passwords exposed in other breaches, are particularly effective against users who reuse credentials across services.
The 2FA weakness
The attack exploited a fundamental limitation of time-based one-time password (TOTP) 2FA codes: they are typically six digits, giving only one million possible combinations per 30-second window. Automated systems can submit thousands of attempts per second, and if rate limiting is insufficiently aggressive, the probability of guessing a valid code within its lifespan becomes non-trivial over many attempts.
Dashlane’s security controls detected the attack and locked affected accounts, which prevented broader compromise but caused disruption for legitimate users who found themselves locked out. The tension between security lockouts and user experience is a recurring challenge for authentication systems: aggressive lockouts stop attackers but also create denial-of-service effects for real users.
Dashlane says its investigation found no evidence that its own systems were compromised. The attack targeted user accounts externally rather than exploiting a vulnerability in Dashlane’s infrastructure.
The LastPass echo
The incident will inevitably draw comparisons to the 2022 LastPass breach, in which attackers stole encrypted password vaults belonging to millions of users. In that case, researchers later confirmed that some vaults with weak master passwords were cracked, leading to cryptocurrency thefts and other real-world harm. Law enforcement has increasingly targeted cybercriminal infrastructure, but offline vault cracking happens beyond the reach of any server-side protection.
The scale is different, fewer than 20 vaults versus millions, but the principle is identical: an encrypted vault is only as secure as the master password protecting it. Dashlane’s advice to affected users is to review registered devices, remove any unrecognised ones, enable 2FA if not already active, and, most critically, use a strong, unique master password that is long and difficult to guess.
The disclosure follows responsible security communication practices, with Dashlane publishing its advisory promptly and providing specific remediation steps. But the incident raises a broader question for the password manager industry: if 2FA can be brute-forced to register new devices, what additional authentication layers are needed to protect the most sensitive consumer security product most people use?
