Skip to content

Dashlane’s Opaque Advisory on Vault Theft Leaves Users Concerned

A recent security advisory from password manager Dashlane has left many users scratching their heads. The company warned that attackers managed to obtain 20 encrypted user vaults through a brute force attack, but the details of how this was accomplished are unclear.

According to the advisory, an external party launched a brute force attack against certain Dashlane user accounts on May 31, 2026. The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts. However, this has raised several questions among users and security experts.

Brute-Forcing 2FA: A Misleading Explanation?

Dashlane’s advisory states that the attackers used a brute force attack against 2FA protections. But what does this mean? Typically, 2FA involves generating a one-time password or sending a code via text or email. These codes are usually six digits long and change every 45 seconds. However, in this case, the notification sent to users showed that the code remained valid for three hours.

This has led many to question how the attackers were able to brute-force their way past 2FA protections. Brute-forcing involves rapidly submitting every possible combination until landing on the right one. With a six-digit code, there would be over 1 million possible passcodes. A successful breach would require a statistically significant percentage of these codes to be entered within the three-hour window.

Unanswered Questions and Unclear Attack Method

Dashlane’s advisory does not explicitly state whether they placed a rate limit on the number of submissions a user can make. However, it appears likely based on language in the advisory saying that ‘Because of the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.’

Even assuming there was no rate limiting, it’s hard to imagine Dashlane servers not at least temporarily choking when receiving 150,000 or more submissions in an hour or so. This has led some to speculate that Dashlane may have meant something else by ‘2FA’ or that the attackers used a different tactic altogether.

Alternative Explanations and Speculation

One possible explanation is that the attackers used a tactic known as 2FA fatigue attacking, which exploits the friction of the process. An attacker who has already broken the first authentication factor attempts to log in repeatedly, resulting in a push notification being sent to the target each time. After dozens or even hundreds of attempts, the target finally gives in and presses the approve button.

Another possibility is that the attack exploited features that allow Dashlane users to enroll new devices in their accounts. Such techniques typically work by tricking the user into approving a request to approve a device owned by the attacker instead.

Conclusion

Dashlane has maintained silence for over 48 hours since publishing the advisory, leaving many questions unanswered. The company representatives did not respond to an email seeking details. Without more information, users are left wondering what really happened and how their accounts were compromised.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *