Dashlane attackers exploited device registration to steal vaults
Original: Dashlane explains how attackers managed to download encrypted password vaults
Why This Matters
Demonstrates evolving attack methods against password managers through API abuse
Password manager Dashlane revealed attackers exploited device registration APIs in coordinated campaign targeting large user base. Fewer than 20 encrypted password vaults were downloaded before attack was shut down. Campaign started Sunday targeting personal plan customers.
Dashlane disclosed attackers mounted coordinated campaign abusing device enrollment mechanism to steal encrypted password vaults. The threat actors targeted API endpoints for device registration using brute force attacks, sending automated requests to large numbers of existing users' email addresses. By targeting multiple accounts simultaneously, attackers improved odds of successfully guessing six-digit one-time passwords required for device registration. Attacking 1,000 accounts increased odds to 1 in 1,000 versus 1 in 1 million for single account. Dashlane's automated security systems triggered account lockouts as intended. Before full mitigation, attackers generated valid tokens for fewer than 20 personal plan customers, allowing new device registration and vault downloads. Downloaded vaults remain encrypted and require master passwords for decryption.