Full Report
Password manager Dashlane has disclosed that "fewer than" 20 users on the personal subscription plan had their encrypted vaults downloaded following a brute-force attack launched by an unknown party. On May 31, 2026, the company said an "external" threat actor launched a brute-force attack against certain Dashlane user accounts with the aim of breaking two-factor authentication (2FA)
Analysis Summary
# Incident Report: Dashlane Brute-Force and Vault Exfiltration
## Executive Summary
In May 2026, Dashlane identified an external brute-force attack targeting personal subscription accounts to bypass two-factor authentication (2FA). While built-in security controls throttled the majority of the attack, the threat actor successfully registered unauthorized devices and downloaded encrypted vaults belonging to fewer than 20 users. The company has notified affected individuals and confirmed that internal systems remained uncompromised.
## Incident Details
- **Discovery Date:** May 31, 2026
- **Incident Date:** Ongoing leading up to May 31, 2026
- **Affected Organization:** Dashlane
- **Sector:** Technology / Cybersecurity (Identity Management)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** External Brute-Force Attack
- **Details:** Threat actors launched high-volume automated login attempts against personal Dashlane accounts.
### Lateral Movement
- **Details:** Not applicable to the service infrastructure. The actor moved vertically from account access to unauthorized device registration for specific user accounts.
### Data Exfiltration/Impact
- **Details:** For a cohort of "fewer than 20" users, attackers successfully bypassed 2FA, registered a new device, and downloaded the users' encrypted password vaults.
### Detection & Response
- **How it was discovered:** High volume of failed login attempts triggered automated security alerts and account suspensions.
- **Response actions taken:** Impacted accounts were temporarily suspended; affected users were directly notified; internal systems were audited for signs of breach (none found).
## Attack Methodology
- **Initial Access:** Brute-force/Credential Stuffing.
- **Persistence:** Unauthorized device registration on compromised accounts.
- **Privilege Escalation:** N/A (Direct user account access).
- **Defense Evasion:** Use of distributed "external" infrastructure to attempt 2FA bypass.
- **Credential Access:** Brute-forcing 2FA protections.
- **Discovery:** Identification of accounts without robust 2FA or with weak passwords.
- **Lateral Movement:** N/A.
- **Collection:** Automated download of user vault files.
- **Exfiltration:** Transfer of encrypted `.dash` (or equivalent) vault files to attacker-controlled devices.
- **Impact:** Potential exposure of all stored credentials if the Master Password is cracked.
## Impact Assessment
- **Financial:** Minimal direct cost; potential resource expenditure for incident response and legal notifications.
- **Data Breach:** Exfiltration of encrypted vaults for <20 users. Risk is mitigated by AES-256 encryption, provided Master Passwords are strong.
- **Operational:** Temporary service disruption for targeted users due to account suspensions.
- **Reputational:** Moderate; emphasizes the risk of "all eggs in one basket" for password managers, though Dashlane’s internal systems remained secure.
## Indicators of Compromise
- **Network indicators:** Multiple failed login attempts from disparate IP addresses (specific IPs not disclosed by Dashlane).
- **File indicators:** N/A (Service-side attack).
- **Behavioral indicators:** Unauthorized registration of new devices; anomalous volume of 2FA verification requests.
## Response Actions
- **Containment measures:** Automated account locking/suspension of targeted accounts.
- **Eradication steps:** Removal of unauthorized devices from affected accounts.
- **Recovery actions:** Direct notification to affected users; restoration of access after security verification.
## Lessons Learned
- **2FA Robustness:** Traditional 2FA (SMS/Email) may be vulnerable to sophisticated brute-force if rate limiting is not aggressive enough across all endpoints.
- **Client-Side Security:** The zero-knowledge architecture remains the primary defense; even with a downloaded vault, the attacker needs the Master Password.
- **Alerting Effectiveness:** Automated suspension systems worked as intended, preventing a wider-scale compromise of the user base.
## Recommendations
- **For Users:**
- Transition to hardware security keys (FIDO2/WebAuthn) for 2FA.
- Ensure Master Passwords exceed 12-15 characters and are unique.
- Audit "Authorized Devices" periodically in Dashlane settings.
- **For the Organization:**
- Enhance rate-limiting specifically for device registration endpoints.
- Implement additional behavioral analysis on 2FA challenges.