Dashlane recently revealed a security breach where hackers successfully bypassed two-factor authentication (2FA) to register unauthorized devices and download encrypted password vaults. This incident affected fewer than 20 personal users, with an investigation confirming no further impact on Dashlane’s internal systems.
Details of the Breach
Beginning May 31, 2026, Dashlane faced a brute-force attack targeting user accounts through its device registration API. The attackers focused on guessing the 6-digit tokens sent via email or generated by authenticator apps. Despite Dashlane’s security measures triggering account lockouts, the attackers managed to register new devices for a small subset of accounts.
Attack Methodology
The attackers exploited Dashlane’s device registration process, which occurs when a user adds a new device. By brute-forcing the 6-digit tokens, they were able to complete the registration and download encrypted vaults without detection. Dashlane promptly notified all affected users.
Although the vaults were downloaded, Dashlane asserts that the data remains secure. The Master Password, vital for accessing vault contents, is not stored or transmitted in plaintext, adhering to Dashlane’s zero-knowledge architecture. The encryption technology used, including Argon2, AES-256-CBC, and HMAC-SHA256, makes brute-forcing the Master Password highly improbable.
Dashlane’s Response and Future Measures
On June 4, 2026, Dashlane finalized its investigation, confirming no broader customer impact. The company took several measures, such as blocking malicious traffic, reinstating affected accounts, and enhancing the security of the device registration process. These steps aim to prevent similar incidents in the future.
This breach highlights the importance of robust 2FA configurations and maintaining strong Master Passwords. Users are encouraged to follow best practices to ensure their accounts remain secure against potential threats.
For more updates, follow us on Google News, LinkedIn, and X.
