Security Advisory: Dashlane’s Encrypted Vaults Compromised in Brute Force Attack
On May 31, 2026, Dashlane, a widely-used password management service, issued a security advisory revealing that attackers had gained access to 20 encrypted user vaults. The incident involved a brute force attack targeting specific user accounts with the aim of circumventing two-factor authentication (2FA) protections to register unauthorized devices on these accounts.
According to the advisory, the brute force attack commenced on Sunday and sought to manipulate 2FA mechanisms, which usually enhance account security by requiring a second form of verification in addition to a password. A user based in the UK received a 2FA notification during this period, which prompted them to reach out to Dashlane’s customer support for clarification but yielded no substantial information regarding the nature of the alert.
This lack of communication left users perplexed, especially regarding how a 2FA request could be triggered without the initial password being compromised. The user expressed frustration, stating that they learned about the potential breach through external channels rather than directly from Dashlane. The situation sparked widespread discussions across social media platforms, with many users echoing similar concerns about the mechanics of the attack and their implications.
Typically, 2FA codes are time-sensitive and generated periodically, providing a critical layer of protection for user accounts. The situation at Dashlane suggests that the attackers may have exploited a vulnerability that allowed the same code to remain valid for a longer duration than expected, sometimes up to three hours, which deviates from conventional security protocols usually found in such systems.
Brute force attacks rely on systematically attempting different combinations to guess passwords or 2FA codes. In scenarios like this, where there can be up to a million potential combinations, the attackers must ideally enter a statistically significant number of guesses within the operational timeframe. While it is feasible for attackers to flood Dashlane’s systems with a high volume of requests, such an approach requires considerable resources that are not typically associated with standard brute force tactics.
Dashlane’s advisory implicitly suggests that it may have implemented some rate-limiting measures against excessive login attempts. The mention of automatic account locking in response to high volumes of access attempts implies that some countermeasures were in place. However, it raises questions about the effectiveness of these defenses when facing such concentrated and sustained attacks, given the possibility of processing thousands of requests in a very short time frame.
In examining the tactics used in this attack through the lens of the MITRE ATT&CK framework, it is evident that the attackers employed techniques associated with initial access and potentially credential dumping combined with brute force attempts. By leveraging a significant number of attempts, they sought to gain control of accounts, which highlights ongoing vulnerabilities that organizations need to address.
As businesses increasingly rely on password managers and similar tools for security, the Dashlane incident serves as a critical reminder of the importance of robust, multi-layered security measures. Understanding the underlying tactics used in cyber attacks can equip business owners with the knowledge necessary to fortify their defenses against potential future threats.