Attackers obtained encrypted password vaults from some Dashlane user accounts

Dashlane has disclosed new details about a brute-force attack that let a threat actor access some customer accounts and copy encrypted vaults.

Dashlane said it found no evidence that the attackers compromised its internal systems.

The company first acknowledged the incident on May 31 after users reported receiving account suspension emails and experiencing login problems.

“Your account has been temporarily suspended for security reasons as someone has attempted to register a new device and didn’t enter the correct token after several tries,” the emails read, instructing affected users to contact customer support to restore access.

Shortly after, Dashlane launched an investigation into reports from users who had received account suspension notifications and were experiencing difficulties logging in after resetting their master password.

According to Dashlane, the threat actor targeted API endpoints used for device registration and launched a high volume of automated requests in an attempt to gain access to user accounts. The company said its automated security systems responded by locking targeted accounts to protect affected users.

“Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults,” Dashlane stated.

The advisory notes that the copied vaults remain encrypted and require the user’s master password to unlock. However, stolen vaults can still be subjected to offline password-cracking attempts, making the strength of a user’s master password a key factor in limiting the risk of exposure.

Following the incident, Dashlane said it deployed additional protections at the network and product levels to detect and filter malicious traffic. The company is also adding verification steps to the device registration process.

The company’s handling of the outage drew criticism on Reddit, where some users complained that Dashlane had provided little information while the issue was unfolding.

Earlier this year, researchers at ETH Zurich and the Università della Svizzera italiana identified design weaknesses in several major password managers, including Dashlane. While unrelated to the recent brute-force attack, the researchers demonstrated scenarios in which a compromise of a provider’s infrastructure could expose or modify data stored in encrypted vaults.

The risks associated with stolen password vaults can also persist long after an incident. TRM Labs warned that encrypted vault backups stolen during the 2022 LastPass breach were still being cracked using weak master passwords, enabling cryptocurrency thefts as late as 2025.