Password manager Dashlane has confirmed that a brute-force attack launched on May 31, 2026, successfully compromised fewer than 20 user accounts, allowing attackers to download encrypted vaults. The company says the targeted users have all been notified directly.
What Happened
An external threat actor targeted specific Dashlane accounts with a sustained brute-force campaign aimed at breaking two-factor authentication protections. The goal wasn’t just to guess passwords — it was to bypass 2FA and register new attacker-controlled devices on existing accounts. The volume of attempts was high enough to trigger Dashlane’s security controls, which temporarily suspended affected accounts and caused authentication issues for legitimate users.
Despite those controls, the attackers got through in a small number of cases. They were able to download copies of encrypted vaults belonging to less than 20 users on the personal (non-business) plan. Dashlane hasn’t disclosed exactly how the 2FA bypass was achieved, which is a notable gap in the disclosure.
Should You Panic?
Not — but you should pay attention. The vaults that were downloaded are encrypted with the user’s master password, which Dashlane says was not stored on their servers and was not part of what was accessed. In theory, the encryption should hold up against brute-force attempts on the vault itself, assuming the user’s master password is strong. If your master password is “password123,” you have a problem. If it’s a long, random passphrase, the attackers likely have an encrypted blob they can’t do much with.
Still, the fact that any vaults were downloaded at all is concerning. “Fewer than 20” is a carefully chosen number, and it technically includes zero — though the language suggests at least some were successfully exfiltrated. The lack of detail on the 2FA bypass mechanism leaves open questions about whether this was a flaw in Dashlane’s implementation, a social engineering angle, or a more conventional attack like SIM swapping.
The Bigger Picture for Password Manager Users
This isn’t the first time a password manager has been targeted this way, and it won’t be the last. 1Password disclosed a similar incident in 2023 when their Okta-integrated support system was compromised. LastPass had its own catastrophic breach in 2022. The pattern is clear: as password managers become central to how people manage their digital identities, they become high-value targets.
The good news is that the encryption model used by reputable password managers like Dashlane is genuinely strong. The weak link is almost always the master password and the authentication mechanisms around it. If you use a password manager, your master password should be the strongest password you have — long, unique, and never reused anywhere else. Hardware security keys (like YubiKey) for 2FA are significantly harder to bypass than TOTP apps or SMS.
What to Do Now
If you’re a Dashlane user and haven’t received a notification from the company, your vault wasn’t among those downloaded. That said, it’s a good moment to audit your master password strength, make sure you’re using the strongest available 2FA method, and check for any unrecognized devices on your account. If you’re using the same master password anywhere else — stop. Change it everywhere.
What’s Next
Watch for follow-up disclosures from Dashlane about how the 2FA bypass worked. That detail matters because if it’s a systemic issue, other password managers could be vulnerable to the same technique. In the meantime, this is a reminder that password managers are a critical security layer, not a set-it-and-forget-it solution. The master password and 2FA method you choose are the difference between an encrypted blob an attacker can’t crack and a full credential compromise.
