Brute-Force Attack Leads to Encrypted Vault Theft from <20 Dashlane Users
What Happened – Dashlane disclosed that a threat actor performed a high‑volume brute‑force campaign against its device‑registration API, generating valid registration tokens for fewer than 20 personal‑plan customers. The attacker then registered a new device and downloaded copies of the users’ encrypted password vaults.
Why It Matters for TPRM –
- Encrypted vaults can be cracked offline if master passwords are weak, exposing credentials for downstream vendors.
- The incident highlights the risk of API‑level authentication flaws in SaaS security tools that many third‑parties rely on.
- Lack of timely, transparent communication can erode trust in a critical security vendor.
Who Is Affected – Consumers and enterprises that use Dashlane for password management, spanning all industry sectors that depend on strong credential hygiene.
Recommended Actions –
- Review your organization’s reliance on Dashlane (or similar password managers) and assess the strength of master passwords.
- Verify that multi‑factor authentication and device‑registration controls are enforced for all privileged accounts.
- Request evidence of the additional network‑level protections Dashlane has deployed.
Technical Notes – The attacker exploited the device‑registration API by repeatedly guessing one‑time tokens, a classic brute‑force vector. No evidence of internal system compromise was found. Stolen vaults remain encrypted but are vulnerable to offline password‑cracking. Source: Help Net Security