Dashlane reported a coordinated brute-force campaign targeting its 2FA protections to enable new-device registrations, with fewer than 20 vaults downloaded before the attack was halted. This page breaks down what happened, what you should do now, and what it could mean for password-manager security going forward. Explore common questions people have in the wake of this advisory and get clear, actionable steps you can take to protect your accounts.
Dashlane disclosed a coordinated brute-force campaign against its users, abusing the device-enrollment flow to brute-force one-time codes and attempt vault downloads. Fewer than 20 vaults were accessed before the operation was stopped. Attackers tried to register new devices by exploiting the enrollment API, triggering account-lockouts as a defense. The incident affected a small subset of users, with broader system protections remaining intact for others.
If you’re a Dashlane user, review recent account activity and ensure 2FA is active and functioning. Update your master password if you suspect it’s compromised, enable any available security alerts, and watch for suspicious login attempts. Consider re-authenticating devices, logging out of sessions you don’t recognize, and keeping your device OS and apps up to date. Dashlane and security researchers recommend enabling all available protective measures and monitoring for unusual activity in the days ahead.
The incident highlights how attackers target device-enrollment flows and 2FA to broaden access. It’s likely to prompt vendors to harden device registration APIs, improve rate-limiting, monitor for automated brute-force patterns, and offer stronger, faster remediation steps for compromised devices. Industry watchers expect more rigorous 2FA safeguards and quicker breach notifications across password managers.
If you were affected or noticed unusual activity, consider resetting affected vaults or re-securing them. For most users, changing the master password and re-authenticating devices is prudent. Always back up important data before changes and ensure your new credentials are unique and strong.
Practical steps include: enable or verify 2FA on your Dashlane account, review device registrations and revoke unknown devices, update the master password, audit other services for password reuse, and consider a password hygiene routine (unique, long passwords). Stay alert for phishing attempts that may accompany breach news.
Dashlane stated that vaults were accessed but not necessarily decrypted in this incident. The vaults are encrypted, and access requires the correct keys. The concern is limited to the subset involved; however, treating every breach as a risk encourages proactive protection—change passwords, monitor accounts, and enable all available security features.
There’s a lot that doesn’t add up in a security advisory password manager Dashlane published Monday, warning that attackers managed to obtain 20 encrypted user vaults.