Dashlane has updated its brute-force-attack disclosure with a material escalation: attackers successfully downloaded a copy of the encrypted vaults belonging to fewer than 20 personal-plan users. The campaign aimed to break two-factor authentication and register new devices on existing accounts; the high volume of attempts triggered the temporary suspensions reported earlier. Dashlane says it directly notified each affected user and that anyone who did not receive a vault-risk message is unaffected. Crucially, vault data cannot be decrypted without the Master Password, so unless a password is trivial and predictable, cracking attempts are unlikely to succeed. Dashlane's internal systems were not compromised. Users should review registered devices and enable 2FA.
Password manager Dashlane locked out multiple users after an external brute-force attack triggered its automated account-suspension defenses. Affected users received emails about suspicious access requests and device-registration codes from foreign locations they did not initiate, prompting confusion about whether the messages were themselves phishing. Dashlane confirmed the suspensions were a built-in security response to credential-stuffing-style login attempts and said there is no evidence its systems were compromised. The company opened an investigation on May 31 at 15:19 UTC and marked it resolved by 22:30 UTC, with all affected accounts unsuspended. The episode shows account-lockout defenses working as designed, though the user-experience and phishing-confusion fallout is real.
Microsoft has flipped its position on Edge keeping saved passwords decrypted in memory the moment the browser launches. After originally telling the researcher who reported it that the behavior was 'by design' and not a security issue, Microsoft now says future Edge builds will stop loading the password store into memory at startup. The fix is already live in the Canary channel and will reach Stable, Beta, Dev, and Extended Stable in build 148. The original disclosure came with a working tool that lets an administrator on a shared Windows machine dump other users' Edge passwords by reading process memory.