Dashlane confirmed that hackers brute-forced its two-factor authentication (2FA) system over a weekend, gaining access to about 20 customer accounts and stealing at least a dozen encrypted password vaults. The attackers used automated software to rapidly submit every possible numeric combination to guess the short-lived 2FA codes before they expired, allowing them to register new devices on existing user accounts and download encrypted vault copies.
What Was Stolen And Risk Level
The stolen vaults are encrypted and cannot be read without each customer’s master password, which Dashlane never stores in plaintext. However, customers with easily guessed master passwords face greater risk of having their vaults decrypted. Dashlane has notified the ~20 affected customers but has not said whether they were specifically targeted or if the hackers made ransom demands.
Company Response And Unknowns
Dashlane said there’s no evidence its own systems were compromised and has taken steps to mitigate future incidents, though it hasn’t disclosed what those steps are. The company also hasn’t explained how the attackers defeated its 2FA protections or identified who was behind the attack.
Broader Context: Password Manager Breaches Are Rare But Costly
Data breaches at password managers are uncommon but can have lasting consequences. In 2022, LastPass confirmed customer vault backups were stolen; weaker early password requirements let hackers brute-force some master passwords, leading to reports of stolen crypto using private keys from cracked vaults. In 2021, Click Studios warned Passwordstate users to reset all credentials after hackers compromised its software update mechanism to plant malware.
Featured image credits: Magnific.com
For more stories like it, click the +Follow button at the top of this page to follow us.