Skip to main content
Emerging ThreatsMalware & Ransomware

Dashlane Bolsters Defenses After Brute Force Attacks Lock Out Users

Senior director stands in a brightly-lit security operations center with computer screens and keyboards.

"We can confirm that certain Dashlane user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built‑in security controls. The affected accounts have now been unsuspended," said Jordan Fylolenko, Dashlane Senior Director of Corporate Communications.

Dashlane's timeline and public statements

Dashlane logged an investigation into suspicious activity on May 31 at 15:19 UTC, according to the company’s status page, and by 22:30 UTC the incident was marked as "RESOLVED." A follow‑up update on June 1 at 07:32 UTC reiterated that affected accounts had been unsuspended and that the company was monitoring the situation while implementing additional targeted measures.

In a statement to BleepingComputer, Dashlane characterized the events as a brute‑force attack against "certain Dashlane user accounts" and maintained that there was "no evidence of compromise of Dashlane’s systems," while noting its team was "actively engaged in this issue and taking measures to further protect customers."

How the brute‑force activity appeared to users

Users first reported the issue on Reddit, where many said they had received notices of suspicious access requests that appeared to come from foreign countries. The emails included verification codes intended for legitimate account owners to register new devices — codes recipients said they had not requested. That mismatch prompted some users to test whether the messages were phishing attempts aimed at Dashlane customers.

Hours after the Reddit reports, Dashlane staff responded in certain threads to say the platform's systems were safe and that the alerts were triggered by brute‑force attempts: automated attempts to gain account access by trying multiple passwords in rapid succession.

Automated security controls: lockouts and unsuspensions

Dashlane says the account suspensions were the result of built‑in security controls designed to block automated attacks. The company framed the suspensions as an automated defense — a protective lockout that triggered after the platform detected repeated failed login attempts. Dashlane confirmed the affected accounts have since been unsuspended.

The public note on industry practice appended by the reporting described typical protections used by secure platforms — rate limiting, CAPTCHA challenges, and account lockouts — as measures to block automated brute‑force activity once thresholds of failed attempts are reached.

User experience after the incident and vendor responsiveness

Despite the status page listing the issue as resolved, some users continued to report login problems and said that Dashlane support was unresponsive. BleepingComputer reached out to Dashlane with additional questions, including requests to quantify the number of impacted accounts; at the time of publication Dashlane had not provided a response to those specific inquiries.

What this means for technologists, end users, and procurement leaders

  • Technologists and security teams: The event demonstrates automated defenses can trigger account suspension during brute‑force attempts; teams will watch whether Dashlane's "additional targeted measures" alter detection thresholds or user‑notification processes.
  • End users: Users faced unexpected verification codes and temporary lockouts, and several reported slow or absent support responses; affected individuals will likely expect clearer notifications and faster account recovery pathways following automated protections.
  • Procurement and enterprise buyers: Organizations that depend on third‑party password managers will note Dashlane’s assertion of "no evidence of compromise of Dashlane’s systems" while also tracking vendor transparency around impact metrics and incident communications.

Dashlane framed the suspensions as an automated, precautionary response to an external brute‑force effort and marked the situation resolved within hours on May 31, while confirming ongoing monitoring on June 1. Nonetheless, lingering user access problems and unanswered questions about how many accounts were affected leave concrete details to be clarified as Dashlane continues its follow‑up work.

Original report at BleepingComputer