Dashlane Encrypted Vaults Downloaded by Attackers

Personal users got hit. And it's a coordinated campaign that exploited the company's device enrollment system, allowing attackers to download encrypted vaults belonging to fewer than 20 personal users, but the breach that began Sunday was shut down before the unknown threat actors could exfiltrate data from a wider pool, as Dashlane disclosed Thursday.

An Unexpected Device Enrollment

The attack hinged on a routine process: when a Dashlane user installs the app on a new phone or computer, the service verifies their identity by sending a one-time six-digit token to the registered email address. If two-factor authentication is enabled, the code comes from an authenticator app instead. Entering that code on the new device triggers Dashlane to send an encrypted copy of the user’s password vault to the device. The vault contents remain scrambled and unreadable until the master password is entered.

Normally it's a fool's errand. With 1 million combinations for a single account's six-digit code and tokens expiring after three hours, rate limiting caps attempts and locks the account long before a meaningful fraction of the key space is tried. But the attackers found a way to tilt the odds without triggering those safeguards.

Spraying for Success

It's a numbers game. The threat actors bombarded Dashlane's device-registration APIs with automated requests across a massive base of existing users. Instead of focusing on one account, they sent registration attempts and simultaneously entered a single one-time code guess across all targeted accounts. So this 2FA spraying technique dilutes rate limiting because the requests are spread thinly. Testing one code against 1,000 accounts gives 1-in-1,000 chance of a hit rather than 1-in-1,000,000 for a single account, and the larger the set of targeted email addresses the better the odds some combination aligns.

“The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints. In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.”

Fewer Than 20 Vaults Exposed

The assault's cunning. Dashlane's security systems eventually halted the operation, but not before the attackers managed to obtain encrypted vault data for a handful of personal users, and the company said it has already contacted every affected individual, so anyone who's not received a direct notification is not at risk. And that narrow window of success shows the effectiveness of the automated countermeasures.

The Argon2 Advantage

Getting a copy of a Dashlane encrypted vault is one thing. But reading its contents? That's another. Dashlane uses the Argon2 algorithm to transform a user's master password into a cryptographic hash; it's deliberately memory-hard, time-intensive, so each guess demands enormous computational effort even when attackers use high-end GPUs or specialized hardware. If the master password was long, randomly generated, and high in entropy, the probability of cracking it is vanishingly small.

Master passwords aren't always strong.

If password is in known word lists circulated by password crackers, attack becomes more feasible but it's unlikely under Argon2; Dashlane encrypts fields, closing a gap that plagued 2022 LastPass breach where URLs were plaintext.

No Unencrypted Fields

In the LastPass incident, attackers leveraged unencrypted metadata like URLs to read them before even cracking the master password. Dashlane’s architecture eliminates that vulnerability entirely. Every piece of vault data remains encrypted at rest.

Automatic Upgrades, No User Friction

Dashlane periodically strengthens its hashing algorithms to stay ahead of cracking advances, and these upgrades happen automatically on the backend without any user intervention. LastPass, at the time of its breach, had an algorithm update process that came with more user friction, and some stolen vaults were protected by outdated algorithms that didn't adequately intensify the cracking process. That friction contributed to the eventual decryption of stolen LastPass vaults. Dashlane’s approach removes that burden.

Initial Notice Sparked Confusion

So Dashlane's first communication about the incident omitted critical details, leaving users uncertain about the real level of exposure, and the follow-up posted Thursday clarified the scope and mechanics, but the gap underscored a recurring challenge for security companies who must balance transparency with the risk of misinterpretation. Affected users: act, don't speculate.

What to Do Now

• If you are among the fewer than 20 personal users contacted by Dashlane, change your master password and the contents of all vault entries immediately. Assume that any piece of information stored in that vault could eventually become readable if the master password falls.
• Make the new master password long, unique, and randomly generated. Use a memorable passphrase or a dedicated password generator. Avoid any word that might appear in cracking dictionaries.
• If you have not received a notification from Dashlane, no action is required. Your vault was not accessed.

The attack, while limited in scope, is a real-world test of modern password-manager defenses. The combination of 2FA spraying and automated lockouts limited the damage to a tiny fraction of accounts. Yet the incident serves as a reminder that even encrypted vaults are not magical; they are only as strong as the master password that locks them, and every user who settles for a weak combination is gambling against well-resourced attackers who understand the economics of spraying.

Frequently Asked Questions

What vulnerability did attackers exploit to download Dashlane encrypted vaults?

The attack exploited Dashlane's device enrollment system. Attackers bombarded the device-registration APIs with automated requests across a massive base of existing users, using a 2FA spraying technique that diluted rate limiting by testing one code against many accounts simultaneously.

Why did the attackers succeed in obtaining vaults despite Dashlane's rate limiting?

The attackers used a 2FA spraying technique, sending registration attempts and simultaneously entering a single one-time code guess across many targeted accounts. This diluted rate limiting because the requests were spread thinly, giving a 1-in-1,000 chance of a hit across 1,000 accounts instead of 1-in-1,000,000 for a single account.

How does Dashlane's encryption protect the contents of downloaded vaults?

Dashlane uses the Argon2 algorithm to transform a user's master password into a cryptographic hash, which is memory-hard and time-intensive. Even if attackers have a copy of the encrypted vault, reading its contents requires the master password, and if that password is long, random, and high in entropy, the probability of cracking it is vanishingly small.

Who was affected by the Dashlane vault download incident and what action should they take?

Fewer than 20 personal plan customers were affected, and Dashlane has already contacted every affected individual. If you have not received a notification, your vault was not accessed; if you were contacted, change your master password and all vault entries immediately, making the new master password long, unique, and randomly generated.

When did Dashlane disclose the incident and what was the scope of the attack?

Dashlane disclosed the incident Thursday, stating that the breach began Sunday and was shut down before unknown threat actors could exfiltrate data from a wider pool. The attack allowed the downloading of encrypted vaults belonging to fewer than 20 personal users, with automated security systems triggering account lockouts but not before the attackers obtained valid tokens.