Dashlane warns 20 encrypted vaults stolen in brute force attack
Original: Can't make sense of Dashlane's vault theft notification? You're not alone.
Why This Matters
Major password manager breach raises questions about 2FA security implementations
Password manager Dashlane disclosed that attackers obtained 20 encrypted user vaults through a brute force attack on two-factor authentication protections starting May 31, 2026. The company provided limited details, leaving users confused about the attack mechanics.
Dashlane published a security advisory warning that external attackers launched a brute force attack against user accounts to bypass 2FA protections and register new devices. The company stated that 20 encrypted vaults were compromised but provided minimal technical details. Users reported receiving unexpected 2FA requests and expressed frustration at learning about the breach through social media rather than direct communication from Dashlane. Security experts questioned the feasibility of brute-forcing typical 6-digit codes within the 3-hour validity window, noting it would require submitting around 150,000 attempts per hour. The advisory's vague language about rate limiting and server capacity during such high-volume attacks has left the security community puzzled about the actual attack methodology.