← All articles

Dashlane locks out users after external brute-force attack triggers automated account suspensions; no system compromise, accounts restored

Password manager Dashlane locked out multiple users after an external brute-force attack triggered its automated account-suspension defenses. Affected users received emails about suspicious access requests and device-registration codes from foreign locations they did not initiate, prompting confusion about whether the messages were themselves phishing. Dashlane confirmed the suspensions were a built-in security response to credential-stuffing-style login attempts and said there is no evidence its systems were compromised. The company opened an investigation on May 31 at 15:19 UTC and marked it resolved by 22:30 UTC, with all affected accounts unsuspended. The episode shows account-lockout defenses working as designed, though the user-experience and phishing-confusion fallout is real.

Check
If your team uses Dashlane and saw lockouts, confirm accounts are restored and that the device-registration emails were legitimate, not phishing. Verify no unauthorized devices were registered.
Affected
Dashlane users targeted by external credential-stuffing/brute-force. No Dashlane system compromise reported; risk is account-takeover attempts and phishing confusion from legitimate-but-unexpected security emails.
Fix
Enable the strongest available MFA on Dashlane. Use a unique high-entropy master password. Treat unexpected device-registration codes as suspicious and verify via Dashlane's status page, not email links.