Dashlane Password Manager Reveals Hackers Stole Some Encrypted Vaults Using Brute-Force Attacks

Dashlane has revealed that unspecified bad actors attempted to gain access to user accounts and their password vaults at the end of May. The tech firm claims that accounts of certain users came under “high volume” of attacks, which led to an automatic security lockdown of accounts. The company says that an attempt was made to bypass the security protocols of the password manager, which would have allowed the attackers to register new devices against existing user accounts. However, the bad actors managed to steal encrypted password vaults of a few users.

Dashlane Says Stolen Vaults Remain Inaccessible Without Master Password

In a blog post, the password manager revealed that an “external party” launched a “brute force attack” against “certain” user accounts on May 31. The company says that the primary motive behind the cyberattack was to bypass the two-factor authentication (2FA) protections of user accounts, which would have allowed the hackers to register new devices against existing user accounts.

This would have given remote access to the Dashlane password vaults to the bad actors, eventually exposing their passwords and credentials. Since a password manager stores multiple passwords for users in one place, its breach can potentially lead to a security breach of other accounts, too. Dashlane says that because of the “high volume” of attempts, the password manager's security protocols “automatically locked accounts that were targeted by the attack”.

However, the “external party” managed to exfiltrate encrypted password vaults of less than 20 “personal plan users”. The attempts also led to Dashlane's team being “immediately alerted”, followed by the launch of an investigation into the attack, while also working to resolve the issue, the company claims. As a stopgap measure, the tech firm temporarily suspended accounts of various users.

Dashlane says that the access has since been restored. The company has also started notifying users whose accounts have been affected by the cyberattack. On top of this, the password manager claims that its password vault data will remain inaccessible to hackers without the “master password”.

It's worth noting that it also depends on the strength of the master password set by the user, as hackers can also attempt offline cracking. The company said, “Our vault encryption ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time.”

Further, Dashlane highlighted that there is no evidence that its internal systems have been impacted as a result of the cyberattack. As a remedial measure, the company has blocked traffic from the bad actors. The users who were unable to add new devices to accounts with 2FA can now do so. The password manager highlighted, “Our team has taken steps to mitigate the risk of future incidents and continue to harden our resiliency.”