Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: password-manager (3 articles)Clear

Dashlane confirms attackers downloaded encrypted vaults of fewer than 20 users in brute-force campaign; Master Password still protects data

Dashlane has updated its brute-force-attack disclosure with a material escalation: attackers successfully downloaded a copy of the encrypted vaults belonging to fewer than 20 personal-plan users. The campaign aimed to break two-factor authentication and register new devices on existing accounts; the high volume of attempts triggered the temporary suspensions reported earlier. Dashlane says it directly notified each affected user and that anyone who did not receive a vault-risk message is unaffected. Crucially, vault data cannot be decrypted without the Master Password, so unless a password is trivial and predictable, cracking attempts are unlikely to succeed. Dashlane's internal systems were not compromised. Users should review registered devices and enable 2FA.

Check
If your team uses Dashlane, confirm whether anyone received a vault-risk notification. For notified users, treat the encrypted vault as exposed and rotate all stored credentials promptly.
Affected
Fewer than 20 Dashlane personal-plan users whose encrypted vaults were downloaded. Vaults are useless without the Master Password; weak or predictable Master Passwords are the residual risk.
Fix
Notified users: rotate every stored credential and change the Master Password to a long, unique one. All users: review registered devices, remove unknown ones, and enable 2FA.

Dashlane locks out users after external brute-force attack triggers automated account suspensions; no system compromise, accounts restored

Password manager Dashlane locked out multiple users after an external brute-force attack triggered its automated account-suspension defenses. Affected users received emails about suspicious access requests and device-registration codes from foreign locations they did not initiate, prompting confusion about whether the messages were themselves phishing. Dashlane confirmed the suspensions were a built-in security response to credential-stuffing-style login attempts and said there is no evidence its systems were compromised. The company opened an investigation on May 31 at 15:19 UTC and marked it resolved by 22:30 UTC, with all affected accounts unsuspended. The episode shows account-lockout defenses working as designed, though the user-experience and phishing-confusion fallout is real.

Check
If your team uses Dashlane and saw lockouts, confirm accounts are restored and that the device-registration emails were legitimate, not phishing. Verify no unauthorized devices were registered.
Affected
Dashlane users targeted by external credential-stuffing/brute-force. No Dashlane system compromise reported; risk is account-takeover attempts and phishing confusion from legitimate-but-unexpected security emails.
Fix
Enable the strongest available MFA on Dashlane. Use a unique high-entropy master password. Treat unexpected device-registration codes as suspicious and verify via Dashlane's status page, not email links.

Microsoft reverses course on Edge: saved passwords will no longer load into memory at startup

Microsoft has flipped its position on Edge keeping saved passwords decrypted in memory the moment the browser launches. After originally telling the researcher who reported it that the behavior was 'by design' and not a security issue, Microsoft now says future Edge builds will stop loading the password store into memory at startup. The fix is already live in the Canary channel and will reach Stable, Beta, Dev, and Extended Stable in build 148. The original disclosure came with a working tool that lets an administrator on a shared Windows machine dump other users' Edge passwords by reading process memory.

Check
Inventory Edge installs across your fleet. Check the current Edge version via edge://settings/help and flag anything below build 148.
Affected
Microsoft Edge versions before build 148 (Stable, Beta, Dev, Canary, Extended Stable) that store credentials via Edge's built-in password manager.
Fix
Update Edge to build 148 or newer when it ships. Until then, disable Edge's built-in password manager on sensitive endpoints and limit local admin rights on shared machines.