Brute-force attack triggers Dashlane account lockouts
Password manager Dashlane has confirmed that a brute-force attack targeting user accounts triggered temporary account suspensions and authentication issues.
The company first acknowledged the incident on May 31 after users reported receiving account suspension emails and experiencing login problems.
“Your account has been temporarily suspended for security reasons as someone has attempted to register a new device and didn’t enter the correct token after several tries,” the emails stated, instructing affected users to contact customer support to restore access.
Shortly after, Dashlane said it was investigating reports from users who had received account suspension notifications and were experiencing difficulties logging in after resetting their master passwords.
In a follow-up update, Dashlane said its engineering teams were investigating the root cause of the account suspension notifications and working on a resolution while treating the incident as a high-priority issue.
Later that day, the company confirmed that certain user accounts had been targeted in a brute-force attack by an external party, triggering automatic account suspensions as part of Dashlane’s built-in security measures.
According to Dashlane’s status page, the incident affected the company’s email notification and 2FA systems.
“Our team is actively engaged in this issue and taking measures to address it. There is no evidence of compromise of Dashlane’s systems,” the company said.
Although Dashlane marked the incident as resolved on May 31, it changed the status to “monitoring” on June 1.
The company’s handling of the outage drew criticism on Reddit, where some users complained that Dashlane had provided little information while the issue was unfolding. Others said they were unsure whether the account suspension emails were legitimate because they arrived before Dashlane publicly explained what was happening.
Dashlane later responded on Reddit, reassuring users and repeating that there was no evidence its systems had been compromised.