Password manager Dashlane disclosed on June 2 that attackers accessed approximately 20 customer accounts during a weekend cyberattack, downloading encrypted copies of their password vaults in the process. The company said the attackers brute-forced its two-factor authentication system using automated software that rapidly submitted every possible numeric combination to guess short-lived 2FA codes before they expired — allowing them to register new devices on existing accounts and download vault copies. Dashlane said there was no evidence its own systems were compromised, but has not explained how its 2FA rate-limiting failed to block the attack. It said it has “taken steps to mitigate the risk of future incidents” without specifying what those steps were, and has notified the roughly 20 affected customers. Dashlane did not respond to TechCrunch’s request for comment; it has not disclosed whether the victims were targeted specifically, who carried out the attack, or whether any ransom demands were made.
The stolen vaults are encrypted and cannot be read without each customer’s master password, which Dashlane says is never uploaded to its servers in plaintext. However, the company warned that customers with weak or easily guessable master passwords face elevated risk of having their vault contents decrypted. The incident is a rare but consequential category of breach for the password manager industry: in 2022, LastPass confirmed that encrypted vault backups were stolen, and in the years since, researchers and security journalists have documented cases where attackers cracked the master passwords of early LastPass accounts whose encryption used older, weaker standards, leading to significant cryptocurrency theft from victims’ stored private keys.