Concerns Arise Over Dashlane’s Security Advisory
On May 31, 2026, password manager Dashlane issued a concerning security advisory revealing that attackers had accessed 20 encrypted user vaults. The advisory indicated that an external party executed a brute force attack aimed at breaching two-factor authentication (2FA) protections to register new devices on user accounts.
The Attack Explained
Dashlane stated, “Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts.” This attempt to circumvent 2FA safeguards raises questions about how users were notified. A user in the UK reported receiving a 2FA request and shared a screenshot of the notification they received, which arrived following the attack.
This user expressed frustration, noting, “Then I discovered this news from Mastodon infosec and not Dashlane themselves. As a paying customer, I think I should have known about this from Dashlane.” The apprehension among users is palpable, with many questioning the mechanics behind the attack. How can a user receive a 2FA notification if their password has not been compromised?
Understanding 2FA and Brute Force Attacks
2FA typically relies on time-sensitive codes, generated by apps or sent via text or email, to protect accounts. However, the codes, although changing every 30 to 45 seconds, were reportedly valid for three hours during this incident. This allows for a relatively narrow window in which attackers could operate.
Brute-forcing involves an attacker systematically submitting every possible combination of codes. To clarify, if 1 million possible codes were on the table, a successful attack would theoretically require numerous attempts within the short timeframe. Although such attacks are resource-intensive, they aren’t unheard of. The advisory hints that Dashlane had security measures in place, stating “Because of the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.” While this may indeed slow the rate of attack, the situation leaves room for doubt.
What Comes Next?
In light of this incident, user trust in Dashlane may waver. Security experts underscore the importance of clear communication during potential breaches, asserting that users should be promptly informed about risks to personal data. The lack of immediate communication from Dashlane has undoubtedly led to confusion and concern among its customer base.
For users relying on Dashlane, it is crucial to stay vigilant. Regularly changing passwords, using strong, unique passwords, and keeping abreast of company advisories are practices that can help mitigate risk in the evolving landscape of cybersecurity threats.
For more information on this developing situation, visit the original source Here.
Image Credit: arstechnica.com
