Key facts
- Attackers successfully brute-forced Dashlane's two-factor authentication system.
- The breach affected fewer than 20 personal plan user accounts.
- Attackers downloaded encrypted password vaults from the compromised accounts.
- The incident began on May 31 and led to automatic account lockouts for other targeted users.
Password manager Dashlane announced that an external attacker successfully bypassed its two-factor authentication (2FA) system through a brute-force attack. The breach, which commenced on May 31, affected fewer than 20 personal plan user accounts. As a result of the attack, the perpetrators were able to download copies of the encrypted password vaults belonging to these compromised accounts. The incident also led to automatic account lockouts for a broader group of users who were targeted by the attackers. Dashlane stated that the downloaded vaults remain encrypted and that the company is working with affected users to help them secure their accounts and reset their passwords. A user who received a 2FA request provided a screenshot of the notification received on Sunday.