Dashlane: Attackers downloaded fewer than 20 encrypted vaults

Created at 4 Jun · 05:58 UTC2 sources↑ Market-relevant2 events

IN SHORT

Dashlane reported that attackers downloaded fewer than 20 encrypted password vaults before its systems shut down the operation. The attackers abused the device enrollment mechanism and used brute-force attacks on API endpoints.

Key Numbers

fewer than 20personal user vaults downloaded

six-digittoken length for identity verification

Who's Involved

Dashlane

Password manager provider that experienced a security breach

unknown threat actor

Attacker who initiated the campaign against Dashlane users

Key facts

Attackers downloaded fewer than 20 encrypted password vaults from Dashlane.
The attack targeted Dashlane's device enrollment mechanism.
Attackers used brute-force methods on API endpoints for device registration.
Dashlane's security systems triggered account lockouts.
The campaign began on Sunday and was mitigated by Thursday.

Password manager Dashlane has detailed how attackers managed to download fewer than 20 encrypted password vaults in a coordinated campaign. The attackers exploited Dashlane's device enrollment process, targeting API endpoints for device registration and employing brute-force attacks to generate valid tokens. Dashlane's automated security systems detected the activity and initiated account lockouts, but not before the threat actor successfully accessed and downloaded a small number of encrypted vaults. The campaign, which began on Sunday, was mitigated by Thursday. This incident underscores the persistent threats to sensitive user data stored in password managers and the sophisticated methods employed by malicious actors.

↳ Why This Matters

While the number of compromised vaults is small, this incident highlights a sophisticated attack vector targeting password manager security mechanisms, potentially eroding user trust and demonstrating the need for continuous vigilance against evolving cyber threats.

FREQUENTLY ASKED

Fewer than 20 personal user vaults were downloaded by the attackers before the operation was shut down.

Attackers abused Dashlane's programming interfaces for device enrollment, specifically targeting API endpoints for device registration.

Dashlane's automated security systems triggered an automatic lockout of targeted accounts to protect users.

The attackers used a brute-force attack to send a large volume of automated requests to the device registration API endpoints.

Key facts

Attackers downloaded fewer than 20 encrypted password vaults from Dashlane.

The attack targeted Dashlane's device enrollment mechanism.

Attackers used brute-force methods on API endpoints for device registration.

Dashlane's security systems triggered account lockouts.

The campaign began on Sunday and was mitigated by Thursday.

Dashlane: Attackers downloaded fewer than 20 encrypted vaults

PiQ Daily

Key facts

Dashlane: Attackers downloaded fewer than 20 encrypted vaults

PiQ Daily

Key facts

Get the newsletter.