Dashlane says attackers stole some customers' encrypted password vaults
Dashlane says about 20 accounts were accessed after attackers brute-forced 2FA to register new devices and download vaults.
By Ryan Merket ยท
Why it matters
Password managers concentrate sensitive credentials in one place by design. Dashlane says this was not a backend breach, but attackers still got encrypted vault files after defeating account-level 2FA controls.
Dashlane says attackers accessed about 20 customer accounts and downloaded at least a dozen encrypted password vaults after brute-forcing its two-factor authentication system, according to TechCrunch and Dashlane's own security advisory.
The incident is a direct hit to the trust model behind password managers: customers hand one product the keys to many other services, then rely on encryption and account controls to keep that concentration of risk contained. Dashlane says the stolen vaults remain encrypted and cannot be read without each customer's master password, which Dashlane says is known only to the customer and is not uploaded to Dashlane in plaintext.
What Dashlane says happened
In a security advisory, Dashlane described the attack as an effort to defeat two-factor authentication rather than a compromise of Dashlane's backend systems. Dashlane wrote: "The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts."
Dashlane said attackers used automated software to rapidly submit possible numeric 2FA codes before the short-lived codes expired. Once attackers registered new devices on some accounts, they were able to download encrypted vaults for those users, according to TechCrunch's report by Zack Whittaker (@zackwhittaker).
Dashlane's incident page said there was no evidence that Dashlane's own systems were compromised, according to the available reporting. That distinction narrows the event from a platform-wide infrastructure breach to an account-access incident, but it does not erase the risk for the customers whose vault files were taken.
The risk sits with the master password
The practical question is whether attackers can decrypt the copied vaults. Dashlane says the answer depends on the affected customer's master password. If the master password is strong and unique, the encrypted vault should remain unreadable under Dashlane's stated design. If the master password is weak or guessable, Dashlane warned that the customer's vault could be at greater risk.
That is the uncomfortable trade-off in consumer and business password management. A password manager can reduce reused or weak passwords across the web, but the master password becomes an unusually high-value secret. Two-factor authentication is meant to reduce the chance that a stolen or guessed password is enough to get in. Dashlane's disclosure says attackers found a path through that layer for a small number of accounts.
Dashlane said it notified the roughly 20 affected customers, according to TechCrunch. Dashlane has not said, in the materials available, whether the affected users were selected because of their identities, employers, roles, or the contents attackers expected to find in their vaults. Dashlane also said it had taken steps to reduce the risk of future incidents, but the available advisory language does not specify those mitigations.
Dashlane's enterprise security pitch now faces a live test
Dashlane is not just selling a consumer password vault. Dashlane's current homepage positions Dashlane as an "intelligent credential security platform" for businesses, with an Omnix product that Dashlane says gives admins visibility into logins missed by single sign-on, detects in-browser phishing risk, and flags password issues at the point of use. Dashlane says more than 25,000 brands use Dashlane, and Dashlane's site names customers including Michelin, Air France, and Forrester.
Those are company-supplied claims, but they explain why this incident matters beyond the affected account count. Dashlane is asking companies to trust Dashlane not only as a password locker, but as a control plane for employee credential risk. A 2FA brute-force incident that allowed new device registration tests the same control plane Dashlane markets to security teams.
The disclosed numbers are small: about 20 accounts accessed and at least a dozen encrypted vaults downloaded. The unanswered questions are larger: how Dashlane's 2FA controls allowed rapid code attempts, whether rate limits or device-registration checks failed, and what specific defenses Dashlane changed after the weekend attack. Without those details, customers are left to evaluate the incident mostly through Dashlane's assurances about encryption and master-password design.