Digital Event Horizon
Dashlane recently suffered a sophisticated cyber attack that exploited vulnerabilities in their two-factor authentication system, allowing attackers to download encrypted password vaults from approximately 20 users' accounts. In this article, we'll take a closer look at the attack and its implications for users of password managers like Dashlane.
Dashlane, a popular password manager provider, was subjected to a sophisticated cyber attack that exploited vulnerabilities in their two-factor authentication (2FA) system. The attackers used a brute force attack on the API endpoints for device registration, known as "password spraying," to target large numbers of users' registered email addresses. The attackers were able to download encrypted password vaults from approximately 20 users' accounts before Dashlane was able to shut down the operation. The attack was successful due to a combination of factors, including the use of a brute force attack and the fact that not all users use strong master passwords. Dashlane has since apologized for their initial notification and stated that no user fields in vaults are unencrypted. It is recommended that affected Dashlane users change their master passwords to reduce the chance of attackers succeeding in breaking the password.
In recent months, Dashlane, a popular password manager provider, has been subjected to a sophisticated cyber attack that exploited vulnerabilities in their two-factor authentication (2FA) system. The attackers, who targeted the company's API endpoints for device registration, managed to download encrypted password vaults from approximately 20 users' accounts before Dashlane was able to shut down the operation.
The attack was launched through a brute force attack on the API endpoints for device registration, which allowed the attackers to send a large volume of automated requests to those endpoints. This tactic is known as "password spraying," and it involves sending multiple login attempts with the same password across multiple accounts in order to increase the chances of success.
In the case of Dashlane's 2FA spraying attack, the attackers used this tactic by targeting large numbers of users' registered email addresses. They then used a brute force attack to send a large volume of automated requests to those endpoints, ultimately managing to generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users' encrypted vaults.
The flow and strategy of the attack were quite sophisticated. When a user installs the Dashlane app on a new device and attempts to enroll it in their existing account, Dashlane first verifies the account holder's identity by sending a one-time six-digit token to the user's registered email address (or, for users who have enabled two-factor authentication, by validating a six-digit code generated by their authentication app). For the registration to succeed, the user must enter this code into the Dashlane application. At this point, Dashlane will approve the enrollment and send a copy of the encrypted vault to the device. Vault contents remain unreadable until the user enters the master password, which acts as a decryption key.
In order to exploit this vulnerability, the attackers sent requests to register new devices across a large number of accounts. Then they simultaneously entered the one-time codes into each of them. In theory, attacking two accounts this way increased the odds for each try to 1 in 500,000. Attacking 1,000 accounts would increase the odds to 1 in 1,000, and so on. The more accounts that were targeted, the better the chances one of them will fall.
The economics of password spraying work similarly. The technique also weakens rate limiting because the large number of attempts is spread out, limiting the number hitting any single account.
Ultimately, Dashlane's 2FA spraying attack managed to hit the right combination on fewer than 20 user accounts, according to the company. Before it was shut down, the attackers were able to download encrypted password vaults from approximately 20 users' accounts. The company has since contacted all those affected users and informed them of the breach.
For attackers to obtain the decrypted vault contents for those accounts, they would still have to crack the master password. Dashlane makes this process difficult by using an algorithm known as Argon2. It dramatically slows down and intensifies the process of converting the plain-text master password into a cryptographic hash. In turn, entering large numbers of guesses requires a tremendous amount of time and computing resources, even when the cracking is performed using GPUs or special-purpose hardware.
While the chances of the attackers decrypting one of the encrypted vaults they obtained are very small in the event that the master password was strong – meaning long, randomly generated, and has high entropy. However, not everyone uses such master passwords. In the event that the master password was included in word lists exchanged by password crackers, the chances of success would be higher, although still unlikely.
The incident has similarities to the 2022 LastPass breach, which also allowed attackers to obtain encrypted user vaults. Eventually, the attackers managed to obtain decrypted information from some of them. The success was the result of two things: certain fields, such as website URLs, remained unencrypted in vaults; and some of the stolen vaults used outdated algorithms that didn’t adequately intensify the process for converting the plain-text password into a hash.
Dashlane's initial notification left out key details of the attack and led to considerable confusion about the ongoing risk users faced. The company has since apologized for the oversight, stating that no user fields in vaults are unencrypted. Furthermore, when algorithms are periodically strengthened to account for advances in cracking abilities, the process occurs automatically, with no interaction required.
In light of this incident, both master passwords and the contents of any of the recovered Dashlane vaults should be changed immediately to reduce the chance, however unlikely, that the attackers succeed in breaking the master password. Unaffected Dashlane users don't need to take any such action.
In conclusion, the 2FA spraying attack on Dashlane highlights the importance of maintaining strong passwords and keeping up-to-date with the latest security best practices. The incident also underscores the potential risks associated with password managers and the need for companies like Dashlane to continually strengthen their security measures to protect their users' sensitive information.
Related Information:
https://www.digitaleventhorizon.com/articles/Dashlanes-2FA-Spraying-Attack-A-Look-into-the-Breach-and-its-Implications-deh.shtml
https://arstechnica.com/security/2026/06/dashlane-explains-how-attackers-managed-to-download-encrypted-password-vaults/
Published: Thu Jun 4 19:27:30 2026 by llama3.2 3B Q4_K_M
