The Coolest Info

The Coolest Info

Dashlane Brute-Force Attack: What Actually Happened

02 mins

Dashlane Brute-Force Attack: What Actually Happened

Password manager Dashlane disclosed this week that a brute-force attack targeting its device registration system successfully compromised fewer than 20 user accounts. The attackers managed to download encrypted vaults — but there’s important context about what that means and what it doesn’t.

The Attack Vector

The threat actor didn’t break into Dashlane’s infrastructure. Instead, they targeted the API endpoints used for device registration — the flow that lets you add a new phone or computer to your account. Here’s how it works: when you register a new device, Dashlane sends a 6-digit token to your email (or validates a 2FA code from your authenticator app). Enter the code, and the device gets access to your encrypted vault.

The attackers brute-forced those 6-digit tokens. With enough automated attempts, they guessed valid codes for fewer than 20 personal plan accounts, registered their own devices, and downloaded copies of the encrypted vaults.

What “Encrypted Vault” Actually Means Here

This is the critical detail: the vaults are encrypted with the user’s Master Password. Dashlane doesn’t store your Master Password — they can’t decrypt your data even if they wanted to. So the attackers have encrypted blobs that are essentially useless without the Master Password.

That said, if any of those 20 users had weak or predictable Master Passwords, the attackers could attempt to crack them offline. It’s not trivial, but it’s not impossible either — especially for short or common passwords.

What Dashlane Did Right

Dashlane’s security controls actually worked as designed. The high volume of brute-force attempts triggered automatic account suspensions, which limited the blast radius to fewer than 20 accounts. The company also says its internal systems were not compromised — this was an attack on a specific user-facing flow, not a breach of their infrastructure.

What You Should Do

If you’re a Dashlane user (or use any password manager, really):

  • Check your registered devices. Remove anything you don’t recognize.
  • Enable 2FA if you haven’t already. It adds a layer that makes brute-forcing significantly harder.
  • Use a strong Master Password. Long, unique, and not reused anywhere else. This is your last line of defense — if your vault gets exfiltrated, the Master Password is all that stands between an attacker and your credentials.

The Bigger Picture

This attack highlights a weakness in how device registration flows are designed across the industry. A 6-digit code — even with rate limiting — has only 1 million possible combinations. When attackers can automate requests at scale, that’s a feasible brute-force target. The fact that Dashlane’s rate limiting caught most of the attempts is good, but “most” isn’t “all.”

Password managers remain one of the best tools for personal security. But this incident is a reminder that no system is bulletproof, and your Master Password is the foundation everything else rests on.

Source: The Hacker News

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News