Dashlane Says Hackers Brute-Forced Its Two-Factor System, Exposing Encrypted Vaults

Password manager Dashlane confirmed that a targeted brute-force attack aimed at its two-factor authentication (2FA) system exposed a small number of user password vaults while the company said its internal infrastructure was not breached.

“There’s a lot that doesn’t add up in a security advisory password manager Dashlane published Monday, warning that attackers managed to obtain 20 encrypted user vaults”

Ars Technica

Dashlane said the attackers’ goal was to brute-force 2FA protections to allow them to register new devices on existing user accounts, using automated software to “rapidly submit every possible numeric combination to the system, hoping to guess the exact sequence before the short-lived security code expires”.

Ars Technica

TechCrunch reported that Dashlane said hackers brute-forced its two-factor system, granting access to about 20 customer accounts, and that by defeating 2FA the hackers could download a copy of certain customers’ encrypted vaults.

Ars Technica later framed the advisory timeline as beginning “Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts,” and described the attack as focused on the authentication layer rather than Dashlane’s core systems.

Dashlane said its security systems detected unusual activity and automatically locked affected accounts to prevent further unauthorized access attempts, and Tech Times reported that only a small number of users were affected and those impacted have already been notified.

SecurityWeek added that the attack was quickly detected and targeted accounts were automatically locked to limit impact, while Dashlane said the threat actor downloaded a copy of the encrypted vaults belonging to fewer than 20 personal plan users.

Engadget

Ars Technica described user confusion around the mechanics of the notifications, quoting a UK-based user who said, “Then [I] discovered this news from Mastodon infosec and not Dashlane themselves,” after receiving a 2FA request.

Engadget said “traffic from threat actors has been blocked,” and that impacted users have been notified while Dashlane recommended reviewing which devices are associated with an account, enabling two-factor authentication, and using a stronger Master Password.

Across coverage, Dashlane emphasized that the downloaded vault data remained encrypted and could not be accessed without the Master Password, with Tech Times stating that the Master Password “is not stored by Dashlane and is essential for decrypting stored credentials.”

“Password management and credential security solutions provider Dashlane revealed on Monday that it has been targeted in a brute-force attack campaign that resulted in a limited number of encrypted vaults being downloaded by the attackers”

SecurityWeek

TechCrunch similarly said the stolen vaults are scrambled and cannot be read without the customer’s master password, and Ars Technica described how brute-forcing depends on repeatedly submitting combinations within a short window.

The Hacker News reported that Dashlane said it “We have directly notified each of these users,” and added that if a Dashlane user had not received a message specific to vault risk, there was “no impact to your Dashlane account.”

As a precautionary measure, Dashlane advised users to review devices registered to their accounts and remove those they do not recognize, enable 2FA, and use a strong Master Password that is “long, unique, and difficult to guess,” according to The Hacker News.