Dashlane Faces Security Concerns Amid Brute Force Attack
There’s a lot that doesn’t add up in password manager Dashlane’s recent security advisory released on Monday, which warned that attackers managed to obtain 20 encrypted user vaults. The advisory has raised questions among users and experts alike about the robustness of Dashlane’s security measures.
The Incident: A Closer Look
“Starting Sunday, May 31, 2026, an external third party launched a brute force attack against certain Dashlane user accounts,” the company stated. “The goal of the attack was to brute force two-factor authentication (2FA) protections to allow the attacker to register new devices to existing user accounts.”
Confusion and Concerns Among Users
A Dashlane user who received a suspicious 2FA request provided a screenshot of the notification, which they received on Sunday.
This UK-based user was understandably concerned and reached out to Dashlane via a support bot. However, they were left without any clear information about the notification’s origin.
“I found out about this news from Mastodon infosec and not from Dashlane itself,” the user reported. “I’m currently trying to find out what happened! Because how can you trigger a 2FA request if you don’t have the password first? As a paying customer, I believe I should have been informed of this by Dashlane and not the IT security specialists at Mastodon.”
Understanding the Mechanics of the Attack
Many social media threads are filled with similar comments from users confused about the attack’s mechanics. Typically, 2FA protections involve a one-time password generated by an authenticator app or sent via SMS or email. These codes are generally six digits long and change every 45 seconds or so. However, as the notification above indicates, the code in this case remained valid for three hours.
Brute forcing is a trial-and-error method that systematically tries all possible combinations until the correct one is found. In this scenario, there would be 1 million possible access codes. For the attack to succeed, a significant percentage of these codes would need to be entered within the three-hour time frame.
While technically feasible, the resources required to bombard Dashlane servers with so many guesses in such a short time are not typical of most brute force attacks. Dashlane’s advisory notes, “Due to the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.” This suggests some level of rate limiting may be in place, although it’s hard to imagine Dashlane’s servers not being overwhelmed by 150,000 or more submissions in about an hour.
Conclusion: A Call for Transparency
This incident highlights the need for transparency and effective communication from companies like Dashlane in the face of security breaches. Users deserve to be informed promptly and clearly about potential threats to their accounts, especially paying customers who rely on these services for security.
For further details, you can read the full advisory Here.
“`
