Dashlane Reports Brute-Force Attack: Encrypted Vaults of Fewer Than 20 Users Accessed
On May 31, 2026, Dashlane, a prominent password management service, disclosed a security incident involving a brute-force attack targeting a limited number of its personal plan users. An unidentified external threat actor attempted to bypass two-factor authentication (2FA) protections to register new devices on existing user accounts.
The attack led to a high volume of login attempts on certain accounts, triggering Dashlane’s security protocols. These measures resulted in temporary account suspensions and authentication issues, effectively mitigating the attack’s broader impact. However, the attackers succeeded in downloading encrypted vaults from fewer than 20 personal plan users.
Dashlane has directly notified the affected users, emphasizing that the encrypted vaults remain secure unless the Master Password is weak or easily guessable. The company reassured that its internal systems were not compromised during the incident.
In response, Dashlane advises all users to review their account’s registered devices, remove any unrecognized ones, enable 2FA, and ensure their Master Passwords are strong, unique, and difficult to guess.
