Dashlane Details How Hackers Managed to Download Encrypted Password Vaults

Dashlane has disclosed that threat actors successfully brute-forced two-factor authentication (2FA) protections to register unauthorized devices and download encrypted password vaults belonging to fewer than 20 personal plan users, with a completed investigation confirming no broader impact on its internal systems.

Beginning Sunday, May 31, 2026, an external threat actor launched a high-volume brute-force campaign targeting Dashlane user accounts. The attacker focused specifically on the platform’s device registration API endpoints, flooding them with automated requests designed to guess the 6-digit one-time tokens sent via email or generated by authenticator apps.

Dashlane’s automated security controls responded as intended, triggering account lockouts across targeted accounts before the attack was fully contained.

The threat actor exploited Dashlane’s device registration flow, which is triggered whenever a user adds a new device, such as a mobile phone or computer, to their account.

Upon successful 2FA verification, Dashlane registers the device and automatically downloads a copy of the encrypted vault to that device. By brute-forcing valid 6-digit tokens for a subset of accounts, attackers were able to complete the registration flow, effectively authorizing the device and downloading encrypted vault copies without the account holder’s knowledge.

Fewer than 20 personal plan users had their encrypted vaults exfiltrated. All affected users were directly notified by Dashlane.

Despite the vault downloads, Dashlane maintains that the stolen data remains effectively inaccessible. Vault contents are protected by the user’s Master Password, which is never transmitted to Dashlane servers in plaintext and is never stored a core principle of Dashlane’s zero-knowledge architecture.

The encryption stack Argon2 + AES-256-CBC + HMAC-SHA256 makes brute-forcing the Master Password statistically infeasible even over extended timeframes. There is no evidence that Dashlane’s internal infrastructure was compromised at any point during the incident.

On June 4, 2026, Dashlane announced the completion of its investigation, confirming no additional customer impact. Remediation steps included:

• Blocking malicious traffic at the network level.
• Reactivating suspended and locked-out user accounts.
• Deploying additional verification layers to the device registration flow.
• Hardening API endpoint protections to detect and filter future malicious traffic.

The incident underscores that even robust password managers can be targeted at the authentication perimeter rather than the encryption layer itself, making strong 2FA configuration and Master Password hygiene critical defensive controls for all users.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Dashlane Details How Hackers Managed to Download Encrypted Password Vaults appeared first on Cyber Security News.