Password manager Dashlane has disclosed that attackers successfully downloaded encrypted vaults belonging to fewer than 20 personal plan users after launching a brute-force campaign designed to bypass two-factor authentication protections.
How the Attack Worked
On May 31, 2026, Dashlane detected an external threat actor attempting to brute-force 2FA protections on a number of user accounts. The goal was to register new devices on existing accounts — a technique that, if successful, gives the attacker full access to the victim’s password vault without needing the master password.
The high volume of authentication attempts triggered Dashlane’s built-in security controls, which temporarily suspended affected accounts and caused authentication issues for legitimate users. The company says it has since restored access to all impacted accounts.
But in a handful of cases, the attackers got through. They managed to download copies of encrypted vaults from fewer than 20 personal plan users. Dashlane has directly notified each affected individual. If you’re a Dashlane user and haven’t received a specific message about vault theft, your data wasn’t part of this breach.
Should You Panic?
Not immediately — but you should pay attention. The vaults were encrypted, which means the attackers still need to crack the encryption to access the actual passwords. Dashlane uses AES-256 encryption with a key derived from the user’s master password, so the security of the stolen data depends entirely on how strong each victim’s master password is.
That said, this is a reminder that “encrypted” doesn’t mean “safe from determined attackers.” If you use a weak or reused master password, an offline brute-force attack against the stolen vault is feasible. The attackers now have unlimited time to try.
It’s also worth noting that this only affected personal plan users. Business and enterprise plans weren’t impacted, likely due to additional security controls like SSO and admin-managed device policies.
What Dashlane Users Should Do Now
If you’re a Dashlane personal plan user, change your master password immediately — make it long, unique, and random. If you’ve reused that password anywhere else, change it there too. Enable the strongest 2FA option available (hardware security key if possible, authenticator app as a minimum).
Consider this a nudge to audit your vault for any credentials that might be especially sensitive — banking, email, crypto wallets — and rotate those passwords proactively.
The Bigger Picture
Password managers remain one of the best tools for personal security, but this incident shows they’re not invulnerable. The attack surface isn’t the encryption — it’s the authentication layer around it. As password managers become more attractive targets, we’ll likely see more attempts to bypass 2FA through brute-force, social engineering, or session hijacking.
Dashlane handled this disclosure well — they were transparent about the scope and notified affected users directly. But it’s a wake-up call for the entire password manager industry to strengthen authentication protections against automated attacks.
