Dashlane Users Targeted: Hackers Exploit 2FA to Access Encrypted Vaults
In a recent security incident, Dashlane, a prominent password management service, revealed that cyber attackers successfully bypassed two-factor authentication (2FA) protocols to register unauthorized devices and download encrypted password vaults from a limited number of personal plan users. The company’s thorough investigation confirmed that fewer than 20 accounts were affected and that its internal systems remained uncompromised.
Incident Overview
On May 31, 2026, Dashlane detected a high-volume brute-force attack targeting its user accounts. The attackers concentrated on the platform’s device registration API endpoints, inundating them with automated requests aimed at guessing the six-digit one-time tokens sent via email or generated by authenticator apps.
Dashlane’s automated security measures responded promptly, initiating account lockouts for the targeted accounts before the attack was fully mitigated.
Exploitation of Device Registration Process
The attackers exploited Dashlane’s device registration process, which is activated when a user adds a new device to their account. Upon successful 2FA verification, Dashlane registers the device and automatically downloads a copy of the encrypted vault to it. By brute-forcing valid six-digit tokens for specific accounts, the attackers completed the registration process, effectively authorizing the device and downloading encrypted vault copies without the account holders’ knowledge.
Scope of the Breach
Fewer than 20 personal plan users had their encrypted vaults exfiltrated. Dashlane has directly notified all affected users. Despite the vault downloads, the company asserts that the stolen data remains inaccessible due to its robust encryption protocols.
Encryption and Security Measures
Dashlane’s vault contents are protected by the user’s Master Password, which is never transmitted to Dashlane servers in plaintext and is never stored—a core principle of Dashlane’s zero-knowledge architecture. The encryption stack, comprising Argon2, AES-256-CBC, and HMAC-SHA256, makes brute-forcing the Master Password statistically infeasible, even over extended periods. There is no evidence that Dashlane’s internal infrastructure was compromised during the incident.
Remediation Steps
On June 4, 2026, Dashlane announced the completion of its investigation, confirming no additional customer impact. The company implemented several remediation steps, including:
– Blocking malicious traffic at the network level.
– Reactivating suspended and locked-out user accounts.
– Deploying additional verification layers to the device registration process.
– Enhancing API endpoint protections to detect and filter future malicious traffic.
Implications for Password Managers
This incident underscores that even robust password managers can be targeted at the authentication perimeter rather than the encryption layer itself. It highlights the critical importance of strong 2FA configurations and diligent Master Password management as essential defensive measures for all users.
