Dashlane Encrypted Password Vaults Downloaded in Coordinated Attack

Dashlane's confirmed it Thursday. Unknown attackers downloaded encrypted password vaults after exploiting the company's device enrollment system in a coordinated campaign that began Sunday, but automated security defenses shut down the operation before fewer than 20 personal user vaults were compromised.

A Brute Force Campaign Unfolds

It's a specific weak point. Attackers went after it in how Dashlane handles new device registration. When a user installs the app on a new phone or computer, the company sends a one time six digit code to the registered email address, and that code must be entered on the new device to prove ownership, but only then does Dashlane ship over a copy of the encrypted vault, which stays locked until the user types in their master password.

They targeted the enrollment API. They fired off a massive barrage of automated requests, cycling through possible six digit token combinations across a vast number of accounts simultaneously, and Dashlane's systems kicked in, triggering automatic lockouts as designed. But it wasn't enough. The attackers got lucky with a handful of targets before the lockouts took effect.

The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints. In response, Dashlane's automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users' encrypted vaults.

How Spraying Tilts the Odds

For attackers, it's terrible odds. With 1 million possible valid codes and a three hour expiration window, brute forcing one target is essentially hopeless, and rate limiting would freeze the account long before any progress was made. But the economics shift dramatically once you spread the attempts thin across thousands of users.

Attack two accounts. That's when the odds per attempt drop to 1 in 500,000, and if you target 1,000 accounts suddenly you're looking at 1 in 1,000 because the math keeps improving as the pool grows. This technique, often called password spraying when applied to credentials, dodges rate limiting because no single account receives enough attempts at all to trigger a lockdown. The attackers played a numbers game, and on fewer than 20 occasions the numbers lined up.

Under 20 Accounts Breached

Fewer than 20. That is the confirmed tally of Dashlane encrypted password vaults that ended up in unauthorized hands. The company has already reached out to every affected user directly. Anyone who did not receive a notification can breathe easy, they were not caught in the net.

Twenty individuals were affected. But the panic that swept through user forums and social channels painted a far grimmer picture because Dashlane's initial disclosure didn't include critical details about the attack mechanics, fueling speculation that the damage ran much deeper. So the reality, while serious for those 20 individuals, represents an extraordinarily narrow slice of the user base.

The Master Password Firewall

Even with encrypted vaults downloaded, the attackers still face a monumental obstacle because every Dashlane encrypted password vault remains scrambled until the master password is entered, and that password never sits on Dashlane's servers so the company can't recover it for anyone. They're on their own.

Dashlane uses Argon2. It's an algorithm purpose built to make password cracking excruciatingly slow and expensive, converting a plain text master password into a cryptographic hash with considerable time and computing resources. Even with specialized hardware or banks of GPUs, running through millions of guesses becomes a draining, costly affair. But a genuinely strong master password, long and randomly generated with high entropy, makes decryption a near impossibility.

The Human Weak Point

Not everyone uses such passwords. If a master password appears in the word lists traded among cracking communities, the odds of a break in rise. Still, Argon2 keeps the bar uncomfortably high even then. The process remains slow enough that success is unlikely, though no longer unthinkable.

Dashlane holds one clear advantage over certain competitors. No fields inside user vaults sit in plaintext. Website URLs, usernames, notes, everything stays encrypted. That means attackers cannot glean any useful information from the stolen Dashlane encrypted password vaults without first conquering the master password. When algorithms require strengthening to keep pace with advances in cracking hardware, Dashlane handles the upgrade automatically, no user action needed.

Ghosts of LastPass

The parallels to the 2022 LastPass breach are impossible to ignore. That incident also saw encrypted user vaults extracted by intruders. Over time, some of those vaults were decrypted. The success hinged on two failures: certain fields like website URLs remained unencrypted, giving attackers a roadmap of targets, and some vaults relied on outdated hashing algorithms that did not adequately intensify the password to hash conversion process.

Dashlane's architecture sidesteps both pitfalls. Nothing sits in the clear. Algorithm updates happen seamlessly in the background. That does not guarantee safety, but it does make the attacker's job exponentially harder than what LastPass adversaries faced.

What Happens Next

For the affected users, caution demands immediate action. Master passwords should be changed without delay. Every password stored inside those Dashlane encrypted password vaults needs rotation too, however slim the chance of decryption might be. The inconvenience is real, but the alternative is leaving a door cracked open, however slightly.

Unaffected users face no such burden. No password changes are necessary. No account resets are required. The automated defenses held the line. The company has since reinforced the targeted API endpoints, though specifics about those hardening measures remain sparse.

The takeaway cuts both ways. Dashlane encrypted password vaults proved resilient against a clever, well resourced attack, yet the breach still happened, and a tiny fraction of accounts fell through the cracks before the system fought back. So for a product built on absolute trust, even twenty's a number that stings.