Brute‑Force Attack Causes Temporary Account Lockouts for Dashlane Users
What Happened – Dashlane confirmed that an external actor performed a credential‑brute‑force campaign against user accounts, triggering the service’s automated device‑registration safeguards and resulting in temporary account suspensions and 2FA failures. The issue was first reported on May 31 2026 and was marked “resolved” but remains under monitoring.
Why It Matters for TPRM –
- Service‑availability risk for any organization that relies on Dashlane for password‑management.
- Potential for credential‑replay attacks if attackers obtain valid tokens during lockout cycles.
- Highlights the need to verify third‑party MFA resilience and incident‑communication processes.
Who Is Affected – SaaS‑based password‑manager users across all sectors (technology, finance, healthcare, etc.).
Recommended Actions –
- Verify that your organization’s Dashlane accounts have MFA enabled and review device‑registration policies.
- Conduct a short‑term audit of login‑failure alerts and lockout thresholds.
- Engage Dashlane account managers to obtain post‑mortem details and any hardening recommendations.
Technical Notes – The attack leveraged repeated invalid token submissions during device registration, activating Dashlane’s built‑in lockout logic. No vulnerability (CVE) was disclosed, and Dashlane reported no evidence of system compromise. Affected components: email notification service and 2FA token validation. Source: https://www.helpnetsecurity.com/2026/06/01/dashlane-brute-force-attack-user-accounts/