Dashlane 2FA breach affects under 20 vaults

What's happened

Dashlane reports a coordinated brute-force attack targeted its device-enrollment API, leading to the unauthorized download of fewer than 20 encrypted password vaults. The company has notified affected users and says others are unaffected. The incident highlights vulnerabilities in 2FA enrollment and rapid credential access.

What's behind the headline?

Key takeaways

• The attack targeted 2FA protections during device enrollment, not the core Dashlane vaults. This shows attackers seek to bypass access controls rather than break vault encryption.
• Fewer than 20 vaults were downloaded, suggesting a narrow target set or effective mitigations.
• Dashlane indicates no evidence of compromise to its own systems, pointing to a client-side or API-level vulnerability rather than a server breach.
• The incident underscores the importance of robust device enrollment protections, rate limiting, and user vigilance around phishing and credential reuse.

What this implies for users

• Users should review device lists and revoke unfamiliar devices.
• Enabling strong master passwords and hardware-backed 2FA where available improves resilience.
• Regularly updating apps and monitoring account activity remains crucial.

How we got here

Dashlane has confirmed a coordinated campaign exploited the device-enrollment API to brute-force 2FA, enabling new-device registrations on a small set of accounts. The attack concluded with a shutdown and limited downloads, with notifications issued to affected users. This follows prior password-manager breaches that underline the risk of credential theft in password vault services.

Our analysis

Dashlane security updates and coverage from Ars Technica and TechCrunch show throughlines: attackers exploited device enrollment, fewer than 20 accounts were affected, and Dashlane emphasizes targeted scope and follow-up notifications. Ars Technica provides detailed technical flow and the attacker’s methodology, while TechCrunch notes the lack of a broader system compromise and highlights related breaches in the password-manager space.

Go deeper

• How many user accounts remain at risk and what is Dashlane doing to prevent future device-enrollment abuse?
• WillDashlane implement heightened rate limiting or additional verification steps for new device registrations?
• What lessons should users take away about protecting vaults and master passwords?

More on these topics

• Dashlane - Password management software

  Dashlane is a subscription-based password manager and digital wallet application available on macOS, Windows, iOS and Android. Dashlane uses a freemium pricing model.