There’s lots that doesn’t add up in a safety advisory password supervisor Dashlane revealed Monday, warning that attackers managed to acquire 20 encrypted consumer vaults.
“Beginning on Sunday, Might 31, 2026, an exterior social gathering launched a brute drive assault towards sure Dashlane consumer accounts,” the corporate said. “The objective of the assault was to brute-force two-factor authentication (2FA) protections to permit the attacker to register new gadgets on current consumer accounts.”
Hiya, Dashlane, anyone dwelling?
A Dashlane consumer who obtained such a 2FA request offered this screenshot of the notification, which arrived on Sunday.
The UK-based consumer was involved and contacted Dashlane via a assist bot. Finally the consumer acquired no details about why the notification was despatched.
“Then [I] found this information from Mastodon infosec and never Dashlane themselves,” the consumer instructed me. “At present looking for out what has occurred! As a result of how are you going to set off a 2fa request in case you haven’t acquired the password 1st? As a paying buyer I believe I ought to have identified about this from Dashlane and never Mastodon infosec of us.”
Scores of social media discussions are full of related feedback from customers who additionally don’t perceive the fundamental mechanics of this assault. Usually, 2FA protections take the type of a one-time password generated by an authentication app or despatched by textual content or electronic mail. They’re usually six digits lengthy and alter each 45 or so seconds, though because the notification above signifies, the code remained legitimate for 3 hours.
Brute-forcing is a trial-and-error technique that quickly submits each attainable mixture till touchdown on the proper one. Beneath these assumptions, there can be 1 million attainable passcodes. A profitable breach would require a statistically vital share of them to be entered throughout the three-hour window.
Whereas the sources wanted to bombard Dashlane servers with that quantity of guesses in such a brief time period are attainable, they’re not generally present in ordinary brute-force assaults. Dashlane doesn’t explicitly say it positioned a charge restrict on the variety of submissions a consumer could make, though it seems seemingly based mostly on language within the advisory saying “Due to the excessive quantity of makes an attempt on consumer accounts, Dashlane’s safety controls routinely locked accounts that had been focused by the assault.” Even assuming there was no charge limiting, it’s onerous to think about Dashlane servers not at the very least quickly choking when receiving 150,000 or extra submissions in an hour or so.
