Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: dashlane (2 articles)Clear

Dashlane confirms attackers downloaded encrypted vaults of fewer than 20 users in brute-force campaign; Master Password still protects data

Dashlane has updated its brute-force-attack disclosure with a material escalation: attackers successfully downloaded a copy of the encrypted vaults belonging to fewer than 20 personal-plan users. The campaign aimed to break two-factor authentication and register new devices on existing accounts; the high volume of attempts triggered the temporary suspensions reported earlier. Dashlane says it directly notified each affected user and that anyone who did not receive a vault-risk message is unaffected. Crucially, vault data cannot be decrypted without the Master Password, so unless a password is trivial and predictable, cracking attempts are unlikely to succeed. Dashlane's internal systems were not compromised. Users should review registered devices and enable 2FA.

Check
If your team uses Dashlane, confirm whether anyone received a vault-risk notification. For notified users, treat the encrypted vault as exposed and rotate all stored credentials promptly.
Affected
Fewer than 20 Dashlane personal-plan users whose encrypted vaults were downloaded. Vaults are useless without the Master Password; weak or predictable Master Passwords are the residual risk.
Fix
Notified users: rotate every stored credential and change the Master Password to a long, unique one. All users: review registered devices, remove unknown ones, and enable 2FA.

Dashlane locks out users after external brute-force attack triggers automated account suspensions; no system compromise, accounts restored

Password manager Dashlane locked out multiple users after an external brute-force attack triggered its automated account-suspension defenses. Affected users received emails about suspicious access requests and device-registration codes from foreign locations they did not initiate, prompting confusion about whether the messages were themselves phishing. Dashlane confirmed the suspensions were a built-in security response to credential-stuffing-style login attempts and said there is no evidence its systems were compromised. The company opened an investigation on May 31 at 15:19 UTC and marked it resolved by 22:30 UTC, with all affected accounts unsuspended. The episode shows account-lockout defenses working as designed, though the user-experience and phishing-confusion fallout is real.

Check
If your team uses Dashlane and saw lockouts, confirm accounts are restored and that the device-registration emails were legitimate, not phishing. Verify no unauthorized devices were registered.
Affected
Dashlane users targeted by external credential-stuffing/brute-force. No Dashlane system compromise reported; risk is account-takeover attempts and phishing confusion from legitimate-but-unexpected security emails.
Fix
Enable the strongest available MFA on Dashlane. Use a unique high-entropy master password. Treat unexpected device-registration codes as suspicious and verify via Dashlane's status page, not email links.