Dashlane has updated its brute-force-attack disclosure with a material escalation: attackers successfully downloaded a copy of the encrypted vaults belonging to fewer than 20 personal-plan users. The campaign aimed to break two-factor authentication and register new devices on existing accounts; the high volume of attempts triggered the temporary suspensions reported earlier. Dashlane says it directly notified each affected user and that anyone who did not receive a vault-risk message is unaffected. Crucially, vault data cannot be decrypted without the Master Password, so unless a password is trivial and predictable, cracking attempts are unlikely to succeed. Dashlane's internal systems were not compromised. Users should review registered devices and enable 2FA.
Password manager Dashlane locked out multiple users after an external brute-force attack triggered its automated account-suspension defenses. Affected users received emails about suspicious access requests and device-registration codes from foreign locations they did not initiate, prompting confusion about whether the messages were themselves phishing. Dashlane confirmed the suspensions were a built-in security response to credential-stuffing-style login attempts and said there is no evidence its systems were compromised. The company opened an investigation on May 31 at 15:19 UTC and marked it resolved by 22:30 UTC, with all affected accounts unsuspended. The episode shows account-lockout defenses working as designed, though the user-experience and phishing-confusion fallout is real.