Brute‑Force Attack Exposes Encrypted Vaults of Fewer Than 20 Dashlane Users
What Happened — Dashlane disclosed that an external threat actor performed a brute‑force campaign against personal‑plan accounts, successfully bypassing two‑factor authentication and downloading the encrypted password vaults of fewer than 20 users. The stolen vaults remain encrypted, but the breach demonstrates that the 2FA protection was insufficient against sustained credential‑guessing attacks.
Why It Matters for TPRM —
- Password managers are a critical control for protecting privileged credentials across third‑party ecosystems.
- A breach, even of a small user set, signals a weakness that could be leveraged against larger enterprise deployments.
- Exposure of encrypted vaults may lead to future offline cracking attempts, increasing long‑term risk to any organization that relies on Dashlane for credential storage.
Who Is Affected — Consumer‑focused password‑manager users (personal subscription tier); enterprises that have delegated employee password‑manager licenses to Dashlane may also be indirectly impacted.
Recommended Actions —
- Verify that your organization’s Dashlane deployment enforces strong, unique passwords and monitors for anomalous login attempts.
- Review the effectiveness of 2FA mechanisms (prefer hardware‑based tokens over SMS or authenticator apps).
- Ensure encrypted vault backups are stored securely and consider rotating master passwords for any accounts that may have been compromised.
Technical Notes — The attack leveraged a brute‑force methodology to defeat 2FA, likely by exploiting rate‑limit gaps or reusable OTP codes. No public CVE was associated with the incident. Stolen data consisted of encrypted vault files; the encryption algorithm was not disclosed, but the vaults remain unreadable without the master password. Source: The Hacker News