Password manager Dashlane reported a targeted brute-force attack that led to a minor breach involving a limited number of encrypted vaults. The breach, which the company disclosed on Monday, involved attackers downloading the encrypted vaults of a small group of users.
Details of the Attack
The attack surfaced on May 31, when cybercriminals attempted to bypass Dashlane’s two-factor authentication (2FA) by registering their own devices on selected accounts. This method involved automated tools that rapidly guessed numeric combinations, aiming to crack the security code before it expired.
By registering a device, the attackers gained the ability to download the encrypted vault of the targeted user from Dashlane’s servers. Despite the attack’s discovery, some accounts were compromised, allowing the download of vaults belonging to fewer than 20 personal plan users.
Security Measures and Impact
Dashlane responded swiftly by locking the targeted accounts to mitigate further risks. Importantly, Dashlane emphasized that accessing vault data without the Master Password is highly improbable due to their robust encryption protocols.
The company reassured users that the Master Password can only be obtained via phishing, which was not part of this incident. Affected users have been informed, and their accounts have been restored to normal operation.
Company’s Assurance and Future Outlook
Dashlane confirmed that its internal systems remained secure, with no evidence of broader impacts from the attack. The event underscores the importance of maintaining strong security practices and highlights the ongoing threats faced by digital security services.
As cyber threats evolve, Dashlane continues to reinforce its security measures, ensuring users’ data remains protected against sophisticated attacks. This incident serves as a reminder of the critical need for vigilance in digital security.
