Skip to main content
Emerging ThreatsData Breaches

Dashlane Exposes Brute-Force Attack on User Accounts

Laptop login screen on a home office desk with soft natural light.

"We have directly notified each of these users," Dashlane said on May 31, 2026, after disclosing that an external actor downloaded encrypted vaults belonging to fewer than 20 personal-plan customers following a brute-force attack.

The brute-force attack and 2FA bypass attempts

Dashlane reported that an "external" threat actor launched a brute-force campaign against certain user accounts with the explicit aim of defeating two-factor authentication (2FA) protections and registering new devices on existing accounts. The company said the assault focused on overwhelming authentication controls with a high volume of attempts, and that those attempts in turn triggered temporary account suspensions and other authentication interruptions produced by Dashlane's built‑in security controls.

Scale and immediate impact: fewer than 20 vaults downloaded

Dashlane said the precise number of accounts targeted is unknown, but that attackers succeeded in a "handful of cases," enabling them to download copies of encrypted vaults belonging to fewer than 20 users on the personal subscription plan. Access to affected accounts has since been restored, and the company stated that it has directly notified each impacted user. Dashlane added: "If you're a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account."

Encryption, Master Passwords, and remaining risk

Crucially, Dashlane emphasized that the downloaded vault data remain encrypted and cannot be opened without the user's Master Password. The company wrote that unless a Master Password is "trivial and highly predictable," it is unlikely that attempts to crack open the vault will succeed. In other words, the downloaded files themselves are not an immediate plaintext disclosure — the strength and uniqueness of individual Master Passwords determine whether an adversary can extract stored secrets.

Dashlane's controls, internal systems, and user guidance

Dashlane also made clear that its internal systems were not affected by the incident. The company's defenses — from automatic account suspensions to other authentication protections — detected the volume of brute-force attempts and produced interruptions that limited some of the actor's activities. As a precaution, Dashlane advised users to review registered devices on their accounts and remove any they do not recognize, enable 2FA, and use a Master Password that is "long, unique, and difficult to guess."

What this means for end users, security teams, and threat actors

  • End users: Personal-plan customers who received direct notification should treat their Master Password as the key risk vector; if it is weak or reused, the encrypted vaults could be vulnerable. All users are advised to review registered devices and enable or strengthen 2FA.
  • Security teams and technologists: The incident highlights how high-volume authentication attempts can interact with adaptive defenses to produce service interruptions; teams should monitor for similar patterns and validate device-registration and 2FA workflows under attack scenarios.
  • Threat actors: The actor in this case sought device registration as a path around 2FA. While downloads were limited to fewer than 20 personal-plan vaults, the approach — sustained brute force against authentication and device enrollment mechanisms — is a tactic other adversaries may emulate.

Dashlane's disclosure leaves two concrete takeaways. First, the company’s controls detected and limited large-scale activity, and its internal systems remain unaffected. Second, the downloaded vaults remain encrypted and therefore hinge on the strength of individual Master Passwords; users who follow the company's guidance — review devices, enable 2FA, and adopt long, unique Master Passwords — reduce the practical risk posed by the downloads.

Dashlane has restored access for affected accounts and directly notified impacted users; the identity of the attacker remains unknown. For users and observers alike, the incident is a reminder that even when service infrastructure holds firm, the ultimate security of encrypted data can rest on choices made at the account level.

Original story