Digital Event Horizon
Brute-forcing 2FA: The Unsettling Pattern of Dashlane's Vault Theft Notification
A recent incident involving Dashlane has left users perplexed over the circumstances surrounding a brute-force attack on certain user accounts. The lack of information from Dashlane, despite publishing an advisory warning about the vulnerability, is adding to the confusion among its users.
A UK-based user received a 2FA request from Dashlane but did not receive any information on why, sparking confusion.Dashlane's 2FA code remained valid for three hours instead of the usual 45 seconds, suggesting an unusual attack method.Brute-forcing was likely used to guess the user's password within the time frame, with approximately one million possible combinations.The strain on Dashlane servers from repeated login attempts would have been significant if there were no rate limits in place.Possibilities for how attackers obtained encrypted vaults include 2FA fatigue attacks or device enrollment techniques.Dashlane has contacted fewer than 20 account holders affected, but the incident remains unclear with limited information from the company.
Ars Technica recently exposed a concerning incident involving the UK-based password manager, Dashlane. A user expressed confusion and concern over receiving a notification requesting two-factor authentication (2FA) from their account, but received no information on why this was necessary or how it could be accomplished.
According to reports, numerous social media discussions have been filled with similar comments from users who also don't understand the basic mechanics of this attack. Typically, 2FA protections take the form of a one-time password generated by an authentication app or sent by text or email. These codes are usually six digits long and change every 45 seconds or so. However, in this instance, the code remained valid for three hours.
Brute-forcing is a trial-and-error method that rapidly submits every possible combination until landing on the right one. Under these assumptions, there would be approximately one million possible passcodes to attempt within a three-hour window, which would require a statistically significant percentage of them to be entered by an attacker in such a short time frame.
The resources needed to bomb Dashlane servers with that volume of guesses are possible but not commonly found in usual brute-force attacks. The company does not explicitly state whether it placed rate limits on the number of submissions a user can make, although language from the advisory suggests it appears likely based on the provided context. Assuming there was no rate limiting, it is hard to imagine Dashlane servers not temporarily choking under the strain of receiving 150,000 or more submissions within an hour.
It's possible that Dashlane's reference to 2FA meant something else. Sometimes, 2FA can come in the form of push notifications. A tactic known as 2FA fatigue attacks exploits the friction of this process by repeatedly attempting login attempts with a user already compromised through the first authentication factor. An attacker then sends push notifications to the target each time they attempt to log in. After dozens or even hundreds of attempts, the target eventually succumbs and presses the approve button.
Another possibility is that Dashlane's users were tricked into approving new devices owned by attackers using features like device enrollment techniques typically used to trick users into granting unauthorized access.
Dashlane stated that it has contacted fewer than 20 account holders whose encrypted vaults were obtained. The company also assured users, "If you're a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account." They further noted that without the master decryption password—Dashlane never sees or stores—the vault contents remain safe.
Despite this information, the lack of clarity surrounding the incident has left many users confused. The silence from Dashlane since publishing its advisory nearly 48 hours ago has not been met with any responses to emails requesting more details about what happened. It is still unclear how attackers were able to obtain the encrypted user vaults without knowing the password or how this was done.
Related Information:
https://www.digitaleventhorizon.com/articles/Brute-Forcing-2FA-The-Unsettling-Pattern-of-Dashlanes-Vault-Theft-Notification-deh.shtml
https://arstechnica.com/security/2026/06/dashlane-issues-opaque-advisory-warning-20-encrypted-vaults-were-stolen/
Published: Wed Jun 3 19:22:46 2026 by llama3.2 3B Q4_K_M
