Dashlane Says Hackers Used Brute-Force Attacks To Download Encrypted Vaults Via 2FA

Dashlane said attackers mounted a coordinated hacking campaign against a large base of its users to recover encrypted password vaults by targeting its two-factor authentication (2FA) system.

“A team of researchers from ETH Zurich and the Università della Svizzera Italiana in Switzerland has discovered vulnerabilities in several password managers, namely Bitwarden, Dashlane, and LastPass”

01net

In Dashlane’s account, the threat actor used brute force to send a large volume of automated requests to API endpoints for device registration, and Dashlane said its automated security systems triggered an automatic lockout of targeted accounts.

01net

Dashlane also said fewer than 20 personal user vaults were downloaded before it shut down the operation, and that vault contents remain unreadable until a user enters the master password.

Ars Technica described Dashlane’s device enrollment flow as requiring a one-time six-digit token sent to a user’s registered email address, or a six-digit code from an authentication app when 2FA is enabled, before Dashlane approves enrollment and sends a copy of the encrypted vault to the device.

Dashlane confirmed that approximately 20 encrypted user vaults were downloaded during the attack, while the company stressed that stolen data remains secure due to strong encryption protections.

Tech Times added that accessing vault contents requires a Master Password, which is not stored by Dashlane and is essential for decrypting stored credentials, and that without it the exposed data is considered unreadable.

Ars Technica

Gadgets 360 reported that Dashlane said its “external party” launched a “brute force attack” against “certain” user accounts on May 31, and that the company said its vault encryption ensures attempts are “statistically unlikely to succeed.”

Le Temps cited EPFL researchers who analyzed the security architecture of Bitwarden, LastPass, and Dashlane, and the article quoted Matilda Backendal saying, "we have demonstrated that this is not the case".

Beyond Dashlane’s incident, 01net reported that researchers from ETH Zurich and the Università della Svizzera Italiana discovered vulnerabilities in Bitwarden, Dashlane, and LastPass, and said the “zero-knowledge encryption” model does not always live up to its promises.

“Dashlane said that attackers mounted a coordinated hacking campaign against a large base of its users in an attempt to recover as many encrypted password vaults as possible”

Ars Technica

01net said the researchers designed 25 different cyberattacks and that a compromised server could access encrypted data under precise conditions, including through features like account recovery and vault sharing.

The article also described a Dashlane-specific issue tied to compatibility with older versions, saying a hacker who controls a server can force the app to switch to an older, weaker system and then “send thousands of decryption attempts to the server,” with the operation taking about 125 days.

In response to the broader critique, 01net quoted lead researcher Matteo Scarlata telling Ars Technica that the 'zero knowledge' term seems to mean different things to different companies, and that the term no longer has much to do with the mathematical concept of a zero-knowledge proof.