Dashlane says 2FA brute-force aimed to register new devices

What's happened

Dashlane has disclosed a coordinated brute-force campaign against its users, targeting 2FA protections to enable new-device registrations. Fewer than 20 vaults were downloaded before the operation was halted. Attackers abused the device-enrollment API, triggering automated account-lockouts. Dashlane has notified affected users; others are unaffected.

What's behind the headline?

What this shows about the risk surface

• The attack exploited the device enrollment API to target a large number of accounts in parallel, relying on two-factor codes that remain valid for a limited window.
• The attackers combined 2FA spraying with mass enrollment attempts, challenging rate-limiting assumptions and highlighting how safeguards can be bypassed when applied per-account rather than globally across services.

Why Dashlane’s response matters

• Automatic account lockouts triggered by high-volume attempts appear to have mitigated broader damage, protecting most users while forcing attackers to pivot.
• The incident underscores the need for multi-layered defenses, including hardware-backed or app-based second factors and stronger monitoring of abnormal enrollment patterns.

Implications for users

• Even with encryption, vaults can be at risk if 2FA can be defeated; strong master passwords and 2FA methods with hardware keys remain critical.
• Users should remain vigilant for unexpected device enrollment requests and ensure recovery options are up to date.

How we got here

Dashlane has identified a coordinated attack that exploited its device-enrollment flow to brute-force one-time codes and attempt to download encrypted vaults. The company says the incident affected a small subset of users and involved a broader campaign using device registration requests across many accounts to improve success odds.

Our analysis

Ars Technica, Ars Technica, TechCrunch reports consolidated on Jun 2–4, 2026, detailing the brute-force and 2FA-spraying mechanics and the company’s response.

Go deeper

• What steps should users take to verify their accounts after such an incident?
• How is Dashlane updating its protections against device-enrollment abuse?
• Could this change how password managers implement device enrollment in the future?

More on these topics

• Dashlane - Password management software

  Dashlane is a subscription-based password manager and digital wallet application available on macOS, Windows, iOS and Android. Dashlane uses a freemium pricing model.