← All articles

Dashlane confirms attackers downloaded encrypted vaults of fewer than 20 users in brute-force campaign; Master Password still protects data

Dashlane has updated its brute-force-attack disclosure with a material escalation: attackers successfully downloaded a copy of the encrypted vaults belonging to fewer than 20 personal-plan users. The campaign aimed to break two-factor authentication and register new devices on existing accounts; the high volume of attempts triggered the temporary suspensions reported earlier. Dashlane says it directly notified each affected user and that anyone who did not receive a vault-risk message is unaffected. Crucially, vault data cannot be decrypted without the Master Password, so unless a password is trivial and predictable, cracking attempts are unlikely to succeed. Dashlane's internal systems were not compromised. Users should review registered devices and enable 2FA.

Check
If your team uses Dashlane, confirm whether anyone received a vault-risk notification. For notified users, treat the encrypted vault as exposed and rotate all stored credentials promptly.
Affected
Fewer than 20 Dashlane personal-plan users whose encrypted vaults were downloaded. Vaults are useless without the Master Password; weak or predictable Master Passwords are the residual risk.
Fix
Notified users: rotate every stored credential and change the Master Password to a long, unique one. All users: review registered devices, remove unknown ones, and enable 2FA.