The Attack Vector
Dashlane has revealed that a threat actor successfully circumvented two-factor authentication protections to access encrypted password vaults belonging to a small number of users. The incident began on May 31, 2026, when an external attacker launched a high volume brute-force campaign targeting Dashlane’s device registration API. The attacker flooded these endpoints with automated requests, attempting to guess the 6-digit one-time tokens sent via email or generated by authenticator apps.
Dashlane’s automated security systems triggered account lockouts as intended, but not before the attacker managed to compromise fewer than 20 personal plan accounts. By successfully brute-forcing valid tokens, the attacker completed the device registration flow, authorizing unauthorized devices and downloading encrypted vault copies without the account holders’ knowledge. The company confirmed that no internal systems were breached during the incident.
Impact and Resolution
Despite the successful exfiltration of encrypted vaults, Dashlane maintains that the stolen data remains effectively inaccessible. Vault contents are protected by the user’s Master Password, which is never transmitted to or stored on Dashlane servers, a cornerstone of the company’s zero-knowledge architecture. The encryption stack combining Argon2, AES-256-CBC, and HMAC-SHA256 makes brute-forcing the Master Password statistically infeasible even over extended periods.
On June 4, 2026, Dashlane announced the completion of its investigation, confirming no additional customer impact beyond the initially identified accounts. The company implemented several remediation measures including blocking malicious traffic at the network level, reactivating suspended accounts, deploying additional verification layers to the device registration flow, and hardening API endpoint protections. All affected users received direct notifications from Dashlane.
Source: Cyber Security News
