Dashlane Confirms Attack Let Hackers Download Encrypted User Vaults After 2FA Bypass Attempt

Dashlane Investigates Attack That Allowed Hackers to Download Encrypted User Vaults

Password management company Dashlane has completed an investigation into a security incident that resulted in attackers downloading encrypted vault data from a small number of user accounts. The company confirmed that all affected customers have been notified and additional security measures have been deployed.

How the attack happened

The incident began on May 31 when attackers targeted Dashlane users using a brute-force approach against two-factor authentication (2FA) protections. By repeatedly attempting authentication, the attackers were able to register new devices on compromised accounts.

Dashlane explained that its security systems detected the unusual activity and automatically locked many of the targeted accounts. However, before access was fully blocked, the attackers managed to download encrypted vault copies from around 20 personal plan accounts.

What data was accessed

The company clarified that the attackers obtained encrypted vault data only, not decrypted content. Dashlane emphasized that:

• Vault data cannot be accessed without the Master Password
• The encryption system uses strong cryptographic standards including Argon2, AES-256-CBC, and HMAC-SHA256
• Master Passwords are never stored or derived on Dashlane servers due to its zero-knowledge architecture

Dashlane stated there is no evidence that its internal systems were compromised.

How device registration was abused

Normally, when a new device is added, Dashlane verifies the user through a one-time six-digit code sent to the registered email address. Users with 2FA enabled must also provide an authentication app-generated code.

Once verified, the new device is registered and receives a copy of the encrypted vault, which can only be decrypted using the Master Password.

Attackers exploited this flow by successfully bypassing authentication protections through repeated attempts, enabling unauthorized device registration in some cases.