Dashlane: Hackers Downloaded Encrypted Password Vault

Dashlane has revealed a security incident involving a brute-force attack against two-factor authentication (2FA) protections. Threat actors leveraged this to register unauthorized devices and subsequently downloaded encrypted password vaults. The breach affected fewer than 20 personal plan users, though a completed investigation confirms no broader impact on Dashlane’s internal systems.

Beginning Sunday, May 31, 2026, an external threat actor launched a high-volume brute-force campaign targeting Dashlane user accounts. The attacker focused specifically on the platform’s device registration API endpoints, flooding them with automated requests designed to guess the 6-digit one-time tokens sent via email or generated by authenticator apps.

Dashlane’s automated security controls responded as intended, triggering account lockouts across targeted accounts before the attack was fully contained.

The threat actor exploited Dashlane’s device registration flow, which is triggered whenever a user adds a new device, such as a mobile phone or computer, to their account.

Upon successful 2FA verification, Dashlane registers the device and automatically downloads a copy of the encrypted vault to that device. By brute-forcing valid 6-digit tokens for a subset of accounts, attackers were able to complete the registration flow, effectively authorizing the device and downloading encrypted vault copies without the account holder’s knowledge.

Fewer than 20 personal plan users had their encrypted vaults exfiltrated. All affected users were directly notified by Dashlane.

Despite the vault downloads, Dashlane maintains that the stolen data remains effectively inaccessible. Vault contents are protected by the user’s Master Password, which is never transmitted to Dashlane servers in plaintext and is never stored a core principle of Dashlane’s zero-knowledge architecture.

The encryption stack Argon2 + AES-256-CBC + HMAC-SHA256 makes brute-forcing the Master Password statistically infeasible even over extended timeframes. There is no evidence that Dashlane’s internal infrastructure was compromised at any point during the incident.

On June 4, 2026, Dashlane announced the completion of its investigation, confirming no additional customer impact. Remediation steps included:

• Blocking malicious traffic at the network level.
• Reactivating suspended and locked-out user accounts.
• Deploying additional verification layers to the device registration flow.
• Hardening API endpoint protections to detect and filter future malicious traffic.

The incident underscores that even robust password managers can be targeted at the authentication perimeter rather than the encryption layer itself, making strong 2FA configuration and Master Password hygiene critical defensive controls for all users.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.