Password manager Dashlane has confirmed that hackers successfully breached customer accounts during a weekend cyberattack, stealing at least a dozen encrypted password vaults. The company revealed that attackers managed to defeat its two-factor authentication system to access approximately 20 customer accounts.
The breach highlights a concerning vulnerability in what’s supposed to be one of the most secure forms of account protection. Two-factor authentication typically requires users to enter an additional code sent to their phone, even if hackers have stolen their username and password. Yet Dashlane’s attackers found a way around this critical security layer.
According to Dashlane’s incident page, hackers used a brute-force attack to overcome the two-factor authentication protections. The company explained that attackers can use automated software to “rapidly submit every possible numeric combination to the system, hoping to guess the exact sequence before the short-lived security code expires.” Once they bypassed this protection, the hackers could register new devices on existing user accounts and download copies of encrypted password vaults.
The company has not disclosed how exactly the attackers managed to defeat its two-factor system or provided details about the steps it has taken to prevent future incidents. Dashlane also hasn’t revealed whether the targeted customers were chosen for specific reasons, such as their profession or personal profiles.
While the stolen vaults are encrypted and cannot be read without each customer’s master password, this protection isn’t foolproof. Dashlane warned that customers with easily guessed master passwords face a higher risk of having their vaults decrypted. The company stores only scrambled versions of these passwords and claims it never receives the plaintext versions.
This incident adds to a troubling pattern of password manager breaches that have shaken user confidence in these supposedly secure services. The consequences of such breaches can be severe and long-lasting, as they potentially expose users’ entire digital lives to criminals.
The most notable recent example occurred in 2022 when LastPass confirmed that hackers had stolen customer password vault backups. While the vaults were protected by customer-only passwords, early users had weaker password requirements than later customers. This allowed hackers to crack some master passwords through brute-force attacks. Several reports later emerged of hackers stealing large amounts of cryptocurrency, likely using private keys stored in compromised LastPass vaults.
A year before the LastPass incident, Australian company Click Studios faced a similar crisis with its Passwordstate manager. The company warned all customers to “reset all credentials” after hackers compromised its software update system to install malware on customer devices.
These incidents underscore the critical importance of strong master passwords for password manager users. They also raise questions about the security measures password management companies use to protect their systems and customer data. As these services become more popular and store increasingly sensitive information, they’re becoming more attractive targets for cybercriminals.
Dashlane has notified the affected customers whose encrypted vaults were stolen. The company’s spokespeople have not responded to requests for additional comment, and it remains unclear whether the hackers have made any demands or contacted Dashlane directly.